Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members

Posted by Steve Alder

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.

State Medicaid Agencies Need to Improve Security Controls for MMIS and E&E Systems

Posted by Steve Alder

Penetration tests conducted on ten State Medicaid Management Information Systems (MMIS) and Eligibility & Enrollment (E&E) systems have revealed they contain vulnerabilities that could potentially be exploited in sophisticated cyberattacks. The penetration tests were conducted on behalf of the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) by a third-party penetration testing company between 2020 and 2022 to determine the effectiveness of information technology system controls in preventing attacks on web-facing MMIS and E&E systems.

The penetration tests were conducted in response to an increase in cyberattacks targeting MMIS and E&E systems. These systems are attractive targets as they contain significant amounts of valuable and sensitive data. HHS-OIG has observed an increase in multiple threat types targeting these systems, including ransomware attacks, phishing, and denial-of-service attacks. Between 2012 and 2023, at least six U.S. states have experienced cyberattacks that resulted in access being gained to significant amounts of Medicaid data, including an attack in Texas in 2021 that affected approximately 1.8 million individuals, a data breach in Utah that affected 780,000 Medicaid recipients, and a data breach in South Carolina that affected 228,000 Medicaid recipients.

The penetration tests simulated cyberattacks. While the security controls were found to be generally effective at blocking unsophisticated or limited cyberattacks, improvements are required to prevent more sophisticated attacks and persistent threats. The cybersecurity controls implemented by the nine states – Alabama, Illinois, Maryland, Massachusetts, Michigan, Minnesota, South Carolina, South Dakota, Utah – and Puerto Rico responded to and blocked some of the HHS-OIG’s simulated cyberattacks, but not others. Simulated phishing attempts were also conducted on a selection of employees to determine whether they had received adequate security awareness training.

The most common NIST security controls that were identified as ineffective in most of the audited states were website transmission confidentiality and integrity controls; flaw remediation controls to properly identify, report, and correct software flaws; information input validation controls to verify the validity or properly sanitize the information system input for public-facing systems; and error handling controls to prevent disclosure of information.

The common causes were developers and contractors that were unaware of government standards or industry best practices; the failure to securely configure and patch flaws in a timely manner; the failure to assess all components in MMIS and E&E systems (e.g. third party plug-ins and libraries); infective procedures for testing security controls; and delays in detecting, reporting, and fixing flaws in systems.

HHS-OIG made 27 recommendations to the nine states and Puerto Rico for improving security controls, policies, and procedures. The most common recommendations included: patching outdated servers; improving input sanitization on web servers; enhancing vulnerability detection tools; conducting periodic evaluations of the effectiveness of security controls; updating cryptographic settings; improving vulnerability management strategies; and ensuring server configurations support secure protocols

The post State Medicaid Agencies Need to Improve Security Controls for MMIS and E&E Systems appeared first on The HIPAA Journal.

Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands

Posted by Steve Alder

Ransomware groups are conducting fewer attacks than a year ago, and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.

Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments. ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.

Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.

Only 17% of attacks are detected during the reconnaissance phase, with 29% detected during initial access, but 30% of attacks are detected later on in the attack phase when file exfiltration has commenced (12%), data is encrypted (13%), or the ransom note is received (5%). While attacks are becoming increasingly sophisticated and harder to detect with traditional security tools, the initial access vectors have largely remained unchanged, with phishing and social engineering the most common means of infiltration. Phishing/social engineering was the infiltration method in 33.7% of attacks, software vulnerabilities were exploited in 19.4% of attacks, supply chain compromises were behind 13.4% of attacks, and software misconfigurations were exploited in 13% of attacks. ExtraHop has observed a marked increase in the use of compromised credentials for initial access, which were used in 12.2% of attacks. Legitimate credentials allow attackers to access networks, move laterally, and remain in networks undetected for extended periods, often escalating privileges to compromise more sensitive systems.

The biggest areas of cybersecurity risk for defenders were the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%). The main challenges faced by defenders were limited visibility into their entire environment (41%), insufficient staffing or a skills gap (35.5%), alert fatigue due to an overwhelming number of security alerts (34%), poorly integrated tools (34%), insufficient or manual SOC workflows (33%), insufficient budget and executive support (29%), and organizational silos (26%). The problem for many organizations is that they are grappling with a complex range of equally pressing obstacles.

ExtraHop’s advice is to first understand the full attack surface, which means knowing exactly what is in the network and where vulnerabilities exist. While it is important to have robust perimeter defenses, internal traffic must be monitored as attackers are increasingly able to penetrate defenses. Through effective monitoring, organizations can identify and block attacks before escalation, data theft, and encryption. While it is essential to understand what threat actors are doing today, it is important to keep abreast of evolving tactics to be prepared for what will happen tomorrow, including attackers’ use of emerging technologies.

The post Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands appeared first on The HIPAA Journal.

Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement

Posted by Steve Alder

Fraser Child and Family Center has agreed to pay $750,000 to settle class action litigation over a 2024 data breach. Fraser Child and Family Center is a Minnesota-based provider of autism, mental health, behavioral health, and disability services. Between May 30, 2024, and June 2, 2024, an unauthorized third party was able to access parts of its IT environment that contained the protected health information of approximately 67,000 individuals. Information potentially stolen in the incident included names, addresses, dates of birth, Social Security numbers, and medical information. The affected individuals were notified about the breach in September 2024.

Class action lawsuits were filed in response to the data breach by four plaintiffs, individually and on behalf of their minor children and similarly situated individuals. Since the lawsuits had overlapping claims and were based on the same facts, they were consolidated into a single lawsuit – In re: Fraser Child and Family Center – which was filed in the District Court for Hennepin County, Minnesota.

The lawsuit asserted several claims, including negligence, breach of contract, breach of fiduciary duty, invasion of privacy – intrusion upon seclusion, unjust enrichment, and a failure to provide adequate breach notifications. Fraser Child and Family Center denies wrongdoing and liability and filed a motion to dismiss. Shortly thereafter, all parties began to explore the possibility of early resolution of the litigation, and a settlement was agreed upon that was acceptable to all parties. The settlement agreement has now been finalized and has received preliminary approval from the court.

Following the data breach, Fraser Child and Family Center implemented additional safeguards to further protect information stored on its network. In addition, a $750,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, service awards for the plaintiffs, and benefits for the class members.

All class members are entitled to claim two years of credit monitoring services, which can be either the CyEx Identity Defense Complete package for adults or the CyEx Minor Defense package for minors. In addition, a claim may be submitted for reimbursement of documented, out-of-pocket losses due to the data breach up to a maximum of $2,500 per class member. In lieu of a claim for reimbursement of losses, class members may submit a claim for a cash payment. Cash payments will be paid after all the above costs and expenses have been paid, and the funds will be divided equally between class members who submit a claim for a cash payment.

Class members wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for November 20, 2025.

The post Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement appeared first on The HIPAA Journal.