HELENA — This week, a state district judge in Helena issued a ruling, allowing the Montana State Auditor’s Office to move forward with its investigation into a data breach that may have affected hundreds of thousands of customers with Blue Cross Blue Shield of Montana.
Judge Chris Abbott dismissed a lawsuit from BCBSMT’s parent company, Health Care Service Corporation, which had argued the auditor’s investigation was unlawful. State Auditor James Brown said he saw the ruling as upholding his regulatory authority.
“I would call it reaffirming the obvious, which is what the court did,” he said. “Clearly, the Montana Legislature has given me the authority to look into the affairs of companies that do business in Montana in the insurance field, and to see and to determine and to investigate whether laws may have been broken.”
(Watch the video for more on the judge's decision.)
In October, BCBSMT – the largest health insurance provider in Montana – said that up to 462,000 of its members’ data may have been exposed by a “cyber incident” affecting Conduent, a third-party vendor. The company reported the incident to Brown’s office, which launched an investigation.
The state auditor is Montana’s commissioner of securities and insurance. The agency said they were looking into whether BCBSMT complied with a state law that requires insurers to provide timely notice when they experience a data breach.
“It's one-third of the state's population whose personal data is compromised,” Brown said.
However, HCSC filed suit, asking the judge to rule that the auditor’s office didn’t have the authority to conduct this investigation. They argued BCBSMT has been exempt from the state reporting requirement because they were instead covered under a federal law.
Last year, the Legislature passed and Gov. Greg Gianforte signed House Bill 60, which changed state law to require companies with that federal exemption to still follow data breach notification rules. BCBSMT says HB 60 didn’t take effect until Oct. 1, and that they learned about the breach from Conduent on July 1 and completed their own analysis of the impacts on member data on Sept. 23. The company argues there was no provision to make the bill retroactive, so their exemption still applies to any breach that happened before Oct. 1. They said their notification to Brown’s office was only a “courtesy.”
Abbott agreed with Brown’s office, which argued BCBSMT couldn’t bring their complaint to court until the auditor’s investigative process is complete. His ruling did not deal with the actual substance of the company’s arguments. He said, if the auditor’s findings go against BCBSMT, the company can challenge them in court at that time.
“To permit a declaratory judgment action here would be to use the UDJA to afford Blue Cross an opportunity to ‘skip the administrative process’ and obtain an avenue to immediate judicial review of the Commissioner’s actions that Blue Cross does not otherwise possess,” Abbott wrote.
The auditor’s office brought in a hearing examiner, who took testimony at a public hearing in January. Brown said the lawsuit had delayed the process, but he expected the examiner would now resume working on findings, including whether they believe laws were violated and whether any penalties are warranted. Whatever recommendations the examiner makes will go to Brown for a final decision.
“Montana has very strong laws protecting privacy of Montana citizens, and I take that obligation and responsibility to protect the rights and personal data of Montanans very responsibly,” said Brown. “I'm pleased that the district court in Helena is allowing us to move forward with our investigation.”
MTN reached out to BCBSMT for a response to Abbott’s decision. The company declined to comment on pending litigation.
