The Montana hospital is notifying patients of a data security incident from 2024.
The Community Hospital of Montana recently posted a data breach notice on its website. Currently, it’s unknown how many individuals may have been impacted in the incident.
The non-profit, privately owned community hospital said that they became aware of unusual activity on August 12th, 2024, when their IT systems were disrupted.
The hospital said they immediately took steps to secure their digital environment and began working with cybersecurity experts to aid in the investigation.
Through an investigation, The Community Hospital learned that an unknown actor may have accessed or acquired the data from the hospitals’ network between August 10th and August 12th, 2024. After the initial investigation, the hospital conducted a review to identify which individuals had been impacted and what protected health information was involved. The process was completed in May 2025.
The personal and protected health information that may have been involved includes names, dates of birth, Social Security numbers, driver’s license or state identification numbers, U.S. military identification numbers, passport numbers, financial account information, patient account numbers, medical record numbers, Medicare and Medicaid numbers, treatment of information, and health insurance information.
Notices to impacted individuals were mailed out on May 19th, along with steps impacted patients can take to protect their information.
The Community Hospital stated that they “take the privacy and security of all information within its possession very seriously.” The company added that they have “taken additional steps to prevent a similar event from occurring in the future,” but did not detail what those actions would be. The team emphasized that the protection of this data is a “top priority.” “We deeply regret any concern this incident may cause,” the notice read.
Breaches need to be disclosed 60 days from discovery, according to the Department of Health and Human Services. Despite the requirement, many organizations take significantly longer–this may be due to a lack of resources for proper investigation or remediation, or additional delays due to organization, ongoing concerns, and more.
Once data has been accessed by a threat actor, it may be sold to other actors who plan to attempt credit theft or identity fraud. In some cases, data may also be used as leverage in ransomware attacks, where the malicious organization threatens to sell the data if they are not given funds from the victim organization.