Judge lets investigation into data breach affecting BCBS members move forward

pHELENA â This week a state district judge in Helena issued a ruling allowing the Montana State Auditorâs Office to move forward with its investigation into a data breach that may have affected hundreds of thousands of customers with Blue Cross Blue Shield of MontanappJudge Chris Abbott dismissed a lawsuit from BCBSMTâs parent company Health Care Service Corporation which had argued the auditorâs investigation was unlawful State Auditor James Brown said he saw the ruling as upholding his regulatory authorityppâI would call it reaffirming the obvious which is what the court didâ he said âClearly the Montana Legislature has given me the authority to look into the affairs of companies that do business in Montana in the insurance field and to see and to determine and to investigate whether laws may have been brokenâppWatch the video for more on the judges decisionppIn October BCBSMT â the largest health insurance provider in Montana â said that up to 462000 of its membersâ data may have been exposed by a âcyber incidentâ affecting Conduent a thirdparty vendor The company reported the incident to Brownâs office which launched an investigationppThe state auditor is Montanaâs commissioner of securities and insurance The agency said they were looking into whether BCBSMT complied with a state law that requires insurers to provide timely notice when they experience a data breachppâIts onethird of the states population whose personal data is compromisedâ Brown saidppHowever HCSC filed suit asking the judge to rule that the auditorâs office didnât have the authority to conduct this investigation They argued BCBSMT has been exempt from the state reporting requirement because they were instead covered under a federal lawppLast year the Legislature passed and Gov Greg Gianforte signed House Bill 60 which changed state law to require companies with that federal exemption to still follow data breach notification rules BCBSMT says HB 60 didnât take effect until Oct 1 and that they learned about the breach from Conduent on July 1 and completed their own analysis of the impacts on member data on Sept 23 The company argues there was no provision to make the bill retroactive so their exemption still applies to any breach that happened before Oct 1 They said their notification to Brownâs office was only a âcourtesyâppAbbott agreed with Brownâs office which argued BCBSMT couldnât bring their complaint to court until the auditorâs investigative process is complete His ruling did not deal with the actual substance of the companyâs arguments He said if the auditorâs findings go against BCBSMT the company can challenge them in court at that timeppâTo permit a declaratory judgment action here would be to use the UDJA to afford Blue Cross an opportunity to âskip the administrative processâ and obtain an avenue to immediate judicial review of the Commissionerâs actions that Blue Cross does not otherwise possessâ Abbott wroteppThe auditorâs office brought in a hearing examiner who took testimony at a public hearing in January Brown said the lawsuit had delayed the process but he expected the examiner would now resume working on findings including whether they believe laws were violated and whether any penalties are warranted Whatever recommendations the examiner makes will go to Brown for a final decisionppâMontana has very strong laws protecting privacy of Montana citizens and I take that obligation and responsibility to protect the rights and personal data of Montanans very responsiblyâ said Brown âIm pleased that the district court in Helena is allowing us to move forward with our investigationâppMTN reached out to BCBSMT for a response to Abbottâs decision The company declined to comment on pending litigationp