Full Report
WVNews reports that personal and protected health information of 462,000 Montanans was involved in a significant data breach experienced by Conduent Business Services from October 2024 to January 2025. The state’s Insurance and Securities Commission wants to know why Blue Cross Blue Shield of Montana (BCBSM) didn’t notify the state sooner. The breach came to... Source
Analysis Summary
# Incident Report: Conduent Data Breach Impacting BCBS Montana PHI
## Executive Summary
A significant data breach at third-party service provider Conduent Business Services, spanning from October 2024 to January 2025, resulted in the exposure of Protected Health Information (PHI) and sensitive personal data belonging to 462,000 members of Blue Cross Blue Shield of Montana (BCBSM). The incident was discovered internally by Conduent in January 2025 but was not publicly disclosed until late April 2025, leading to regulatory scrutiny regarding delayed notification to state authorities.
## Incident Details
- **Discovery Date:** January 13, 2025 (Internal discovery by Conduent)
- **Incident Date:** October 21, 2024 – January 13, 2025 (Duration of threat actor access)
- **Affected Organization:** Blue Cross Blue Shield of Montana (BCBSM) (Client impacted) / Conduent Business Services (Primary victim/system owner)
- **Sector:** Healthcare Services / Business Process Outsourcing (BPO)
- **Geography:** Montana (Affected members) / Location of Conduent operations (Compromised environment)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around October 21, 2024
- **Vector:** Threat actor gained unauthorized access to a "limited portion" of Conduent’s environment. Specific initial vector is not detailed.
- **Details:** Access led to an operational disruption identified on this date.
### Lateral Movement
- Details regarding internal lateral movement are not specified, but the threat actor successfully accessed files associated with Conduent's clients.
### Data Exfiltration/Impact
- **Date/Time:** Determined to have occurred between October 2024 and January 2025.
- **Impact:** A set of files containing significant personal information for clients' end-users was exfiltrated. For BCBSM, this included PHI and PII for 462,000 members.
### Detection & Response
- **Date/Time:** January 13, 2025
- **Detection:** Conduent experienced an operational disruption and learned of the unauthorized access.
- **Response actions taken:** Conduent "activated its cybersecurity response plan with the help of external cybersecurity experts to contain, assess, and remediate the incident." Systems were restored "within days, and in some cases, hours." Federal law enforcement was notified. Subsequent analysis confirmed data exfiltration, leading to SEC filing in April 2025 and notification to clients like BCBSM.
## Attack Methodology
- **Initial Access:** Gained unauthorized access to Conduent's environment (Specific means unknown).
- **Persistence:** Not explicitly detailed, but access was maintained from October 2024 to January 2025.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified, as detection only occurred after an operational disruption.
- **Credential Access:** Not specified.
- **Discovery:** Not specified, but files relevant to clients were located.
- **Lateral Movement:** Implied network movement within the affected portion of the environment to access client data.
- **Collection:** Threat actor exfiltrated a set of files containing client data.
- **Exfiltration:** Exfiltration of the set of files was confirmed.
- **Impact:** Theft of PII and PHI.
## Impact Assessment
- **Financial:** Conduent accrued "material non-recurring expenses in the first quarter related to the event based on potential notification requirements."
- **Data Breach:** PHI and PII of 462,000 BCBSM members were involved. Specific data types include Social Security numbers, birth dates, medical service details (treatment/diagnosis codes, provider names, claim amounts). (Total breach scope across all clients estimated at 4.3 million individuals).
- **Operational:** Conduent stated the disruption did not have a "material impact to the Company’s operations," with systems restored quickly.
- **Reputational:** Significant scrutiny from state regulators (Montana Insurance and Securities Commission) regarding the nearly year-long delay between incident confirmation and regulator notification. News reports exist across multiple publications.
## Indicators of Compromise
*Specific IOCs were not provided in the summary article.*
- **Network indicators:** (None provided)
- **File indicators:** (None provided)
- **Behavioral indicators:** Long-term presence/access (Oct '24 - Jan '25); Unauthorized file exfiltration.
## Response Actions
- **Containment:** Activated cybersecurity response plan with external experts to contain the incident immediately following detection on January 13, 2025.
- **Eradication:** Remediated the affected systems.
- **Recovery:** Restored affected systems and returned to normal operations within days/hours. Subsequent forensic analysis was conducted using data mining experts.
- **Notification:** Notified federal law enforcement. Notified clients (like BCBSM) and state regulators (resulting in SEC filing and individual state reporting).
## Lessons Learned
- The timeline indicated a significant gap between internal discovery (Jan 2025) and public/regulatory disclosure months later (April/October 2025).
- Reliance on third-party vendors (Conduent) introduces significant third-party risk, as the vendor's security posture directly impacts client data (PHI).
- The complexity of analyzing exfiltrated data should be anticipated to avoid extensive delays in scoping and customer notification decisions.
## Recommendations
- BCBSM must urgently review its vendor risk management program with Conduent, focusing on required incident notification SLAs and visibility into vendor security posture.
- Organizations relying on third parties for services involving PHI must ensure robust contractual obligations require timely breach notification that meets strict regulatory timelines.
- Implement enhanced, continuous monitoring capabilities to detect unauthorized access and exfiltration earlier than the 3-month window observed in this incident.