Blue Cross Blue Shield of Montana Faces Data Breach Probe

Posted by Steve Alder

Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.

Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.

Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.

In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.

The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”

A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.

The post Blue Cross Blue Shield of Montana Faces Data Breach Probe appeared first on The HIPAA Journal.

Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches

Posted by Steve Alder

Protected health information has been exposed in data security incidents at Mitchell County Department of Social Services in North Carolina, 360 Dental in Pennsylvania, and GiaCare in Florida.

Mitchell County Department of Social Services

Individuals who received services from Mitchell County Department of Social Services in North Carolina have had their sensitive information stolen in a ransomware attack. The investigation into the October 2025 ransomware attack on Mitchell County was initiated on October 20, 2025, following the encryption of files. The attack caused email and phone outages that lasted for several days. The forensic investigation confirmed that there had been unauthorized network access between October 16, 2025, and October 20, 2025, during which time files were exfiltrated.

The data review and investigation are ongoing to determine the types of information involved and the individuals affected. After that information has been confirmed and up-to-date contact information has been obtained, notification letters will be mailed to the affected individuals. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, if appropriate, for instance, if their Social Security numbers were compromised in the incident.

The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of 501 individuals. The total will be updated when County officials have confirmed the total number of affected individuals. County officials have confirmed that steps have been or will be taken in response to the incident to strengthen security. Those measures include upgrading the County email system, deploying additional software to enhance detection and accelerate the County’s response to cyber incidents, updating password policies, and strengthening restrictions for access to computer systems.

360 Dental

360 Dental in Philadelphia, PA, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 11,273 individuals. According to its substitute breach notice, this was a ransomware attack that resulted in file encryption. The incident was detected on November 16, 2025, and the file review confirmed that sensitive patient data had been exposed in the incident.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, address, telephone number, email, patient account or chart number, dental and clinical records (such as treatment history, clinical notes, x -rays, and diagnostic information), insurance provider and member ID, appointment information, and emergency contacts. A limited number of Social Security numbers were also exposed.

360 Dental has taken steps to improve security following the ransomware attack. The affected computers have been replaced, the affected server has been rebuilt, software has been updated, and additional security tools have been implemented, including firewalls, antivirus software, multifactor authentication, and VPN-only remote access.

GiaCare

GiaCare, a Coral Springs, Florida-based company that provides healthcare staffing and IT services to government entities and healthcare organizations, has recently announced a data security incident, first identified on or around December 23, 2025.

GiaCare learned that a vulnerability existed Gladinet CentreStack, a third-party file sharing platform. GiaCare worked closely with its IT vendor to investigate and confirm the security of its systems and data. The IT vendor confirmed that GiaCare’s systems were secure and had not been accessed; however, the vulnerability had been exploited, and data within the Gladinet CentreStack platform had been accessed and exfiltrated by an unauthorized third-party on December 6, 2025. While the threat actor involved was not named, several cybersecurity firms linked the Gladinet CentreStack attacks to the Cl0p ransomware group – a group known to target zero-day vulnerabilities in file-sharing platforms.

The file review confirmed that names, Social Security numbers, and driver’s license numbers were compromised in the incident. The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The number of affected individuals has yet to be publicly disclosed.

The post Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches appeared first on The HIPAA Journal.

Texas & New Jersey Dermatology Practices Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Two U.S. dermatology practices have agreed to settle class action lawsuits stemming from cybersecurity incidents that exposed patient data. The settlements provide cash benefits to class members and credit monitoring and identity theft protection services.

Affiliated Dermatologists & Dermatologic Surgeons Class Action Settlement

Affiliated Dermatologists & Dermatologic Surgeons, a dermatology practice based in Morristown, New Jersey, learned about a cybersecurity incident on March 4, 2025. The forensic investigation determined that an unauthorized third party had access to its computer network from December 19, 2023, to March 5, 2024. The review of the exposed files determined that they contained the protected health information of 373,630 individuals, including names, mailing addresses, birth dates, Social Security numbers, medical treatment information, and health insurance claims information. Compromised employee information includes names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and passport numbers.

Notification letters were mailed to the affected individuals in late May 2024. Shortly thereafter, class action lawsuits were filed in the Superior Court of New Jersey Law Division for Morris County and the United States District Court for the District of New Jersey. The six class action lawsuits were consolidated – Lepore, et al. v. Affiliated Dermatologists & Dermatologic Surgeons, P.A. – in the Superior Court of New Jersey Law Division for Morris County as they had overlapping claims.

Affiliated Dermatologists & Dermatologic Surgeons deny all claims of wrongdoing and liability and filed a motion to dismiss the consolidated lawsuit. The legal challenge was partially successful, with a judge agreeing to dismiss some of the plaintiffs’ claims; however, the lawsuit was allowed to proceed.  Following mediation, all parties reached an agreement on the material terms of a settlement, and after several weeks of negotiations, a settlement was finalized, which has received preliminary approval from the court.

The settlement provides cash payments for class members, which have been capped at an aggregate of $1,000,000. Should the total claims exceed that amount, the cash payments will be reduced pro rata. Class members may submit a claim for reimbursement of up to $5,000 for documented, unreimbursed losses related to the data breach. Alternatively, class members may claim a cash payment, in the preset amount of $40. Regardless of the cash payment chosen, class members are entitled to three years of single-bureau credit monitoring and identity theft insurance services.

The deadline for exclusion from and objection to the settlement is January 31, 2026. The deadline for submitting a claim is February 15, 2026, and the final fairness hearing has been scheduled for March 2, 2026.

U.S. Dermatology Partners Class Action Settlement

U.S. Dermatology Partners, a network of more than 100 dermatology practices in Arizona, Colorado, Kansas, Maryland, Missouri, Oklahoma, Texas, and Virginia, experienced a cyberattack and data breach in June 2024. The incident was detected on June 19, 2024, when network disruption was experienced. The forensic investigation determined that a threat actor exfiltrated files to an external location on June 19, 2024. The file review confirmed that the protected health information of 13,986 individuals was stolen in the incident, including names, dates of birth, medical record numbers, health insurance information, and other information related to the dermatology services received at one of its managed practices. Notification letters were mailed to the affected individuals on May 30, 2025.

On April 27, 2025, a class action lawsuit – Olson v. Oliver Street Dermatology Management LLC d/b/a U.S. Dermatology Partners – was filed in the United States District Court for the Northern District of Texas in response to the data breach. The litigation was determined to be more appropriate for state court and was dismissed and refiled in the appropriate court. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, and unjust enrichment.

While the defendant denies all claims of wrongdoing and liability, all parties ultimately agreed to settle the litigation. Under the terms of the settlement, all class members are entitled to claim two years of credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of lost time and documented losses due to the data breach. The lost time claims have been capped at $80 per class member (up to 4 hours at $20 per hour). Claims for reimbursement of ordinary losses have been capped at $400 per class member, and claims for reimbursement of extraordinary losses have been capped at $4,000 per class member. There is no alternative cash payment.

The deadline for objection to and exclusion from the settlement is February 2, 2026. The deadline for submitting a claim is February 17, 2026, and the final fairness hearing has been scheduled for April 1, 2026.

The post Texas & New Jersey Dermatology Practices Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.