Montana Mental Health Center faces a data breach impacting over 87,000

A cyberattack on the Western Montana Mental Health Center has exposed the sensitive personal and health information of nearly 87,000 individuals. The breach, which was discovered in September 2024 but only publicly disclosed in July 2025, raises serious concerns about data security in mental health services.

What happened 

On July 17, 2025, Western Montana Mental Health Center (WMMHC) disclosed a serious security breach. The incident stemmed from a cyberattack in mid‑September 2024, when IT systems were disrupted and an unauthorized party accessed and copied sensitive patient data. In total, nearly 86,758 individuals were potentially impacted.

Going deeper 

The breach was first recognized during an IT disruption on September 15, 2024, triggering an investigation assisted by third‑party cybersecurity specialists. While WMMHC confirmed that files outside its electronic medical record (EMR) system were accessed, the EMR itself appears not to have been compromised. Eventually, the full scope was revealed, and notification letters were sent out.

What was said

In the breach notification letter, WMMHC states that it consulted “independent cybersecurity experts” to investigate the cause of the data breach. “As a result of the investigation, we determined that certain files were accessed without authorization,” states the notice. “WMMHC then engaged a third-party data review team to conduct a comprehensive review of those files, and, on or about May 27, 2025, we learned that personal and protected health information belonging to WMMHC was contained within the potentially affected data.”

The statement continues to state that after discovering the data breach, WMMH “implemented measures to enhance security and minimize the risk of a similar incident occurring in the future. WMMHC also notified the Federal Bureau of Investigation and will cooperate with any resulting investigation.”

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Is this a HIPAA violation?

Yes. Under the HIPAA Security Rule, covered entities like WMMHC must protect electronic protected health information (ePHI). Unauthorized access and disclosure of patient data are considered a breach under HIPAA.

Read also: The complete guide to HIPAA violations

Has WMMHC faced penalties or enforcement actions yet?

As of now, no public enforcement actions have been announced, but WMMHC may be subject to investigation by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

Read also: What triggers a HIPAA investigation?

What is an electronic medical record (EMR)?

An EMR, or electronic medical record, is a digital version of a patient’s paper chart. It contains the medical and treatment history of patients within a single healthcare practice or organization.