The largest health insurance company in Montana is fighting against the Montana Commissioner of Securities and Insurance as state officials push to find out more information about the largest data breach in state history, and whether Montana Blue Cross-Blue Shield delayed notifying customers that their personal identifying information, including Social Security numbers, may have been breached.

In a contested hearing on Thursday afternoon, attorneys for Montana Blue Cross-Blue Shield pointed to a filing in district court asking the courts to stop the hearing and process. BCBS also objected to the hearing because it said the office wasn’t properly conducting the hearing, objected that staff attorneys were advising hearing officer David Saunders, who serves as the CSI chief of staff, and said the office was unfairly targeting it, when other companies fell victim to the same breach.

The case stems from a massive data breach by Conduent, which is a third-party vendor to BCBS. In testimony Thursday, exhibits showed that Conduent discovered the breach on Jan. 13, 2025, and notified BCBS on Jan. 17, 2025.

But attorneys for Blue Cross-Blue Shield said it wasn’t until July the company discovered its data — including customer identification — had been breached.

Staff from Commissioner James Brown’s office said BCBS didn’t notify them until Oct. 8, and didn’t begin contacting customers about the breach until Oct. 24, and may have still be informing customers as late as last week.

However, attorneys from BCBS argued they had taken responsibility by informing the insurance commissioner of the breach, and for following through with customers.

But the main issue is the gap in timing, which CSI staff have said was not “reasonable.” Montana law requires insurance companies to notify the state if there is a data breach in a “reasonable” amount of time, but the exact definition of reasonable is not detailed in law.

Deputy Insurance Commissioner Erin Snyder told the hearing examiner it was her estimation a gap of months was not reasonable.

Meanwhile, Montana Blue Cross-Blue Shield questioned Snyder about if the office is investigating the Conduent data breach for other companies. Snyder replied the office is investigating the matter, but has not taken any disciplinary action or hearings, as in the case of BCBS.

When counsel for the insurance giant asked why staff were not investigating the other four entities, she replied, “Because it concerns about 200 people.”

The Blue Cross-Blue Shield data breach, on the other hand, affected 462,356 people, and officials there said that personal information, including name, address and Social Security numbers may have been breached. Officials from the CSI office say because of the scope of the breach, affecting approximately one-in-three state residents, they’ve been working to restore data security and monitor identity theft.

After learning of the data breach, CSI set up an artificial intelligence tool on its website to triage the concerns because of such a large number, compared to the handful of CSI staff. Officials said that cost approximately $10,000 to establish the AI assistant.

CSI also alleges that it has not received a final report, required by law, that outlines the full scope of the breach. Furthermore, officials have not been fully briefed.

“It still has not been disclosed to this agency how it happened,” Snyder said.