A 2024 cyberattack at a mental health provider led to the exposure of personal, medical, and financial data across multiple states.
Western Montana Mental Health Center (WMMHC) confirmed a data breach affecting 86,758 individuals, involving unauthorized access to both personally identifiable information (PII) and protected health information (PHI). The breach was discovered on September 15, 2024, and reported to the U.S. Department of Health and Human Services (HHS) on November 14, 2024.
The exposed data includes names, Social Security numbers, driver's license numbers, dates of birth, state and federal ID numbers, financial account information, health insurance details, and medical records. The breach impacts individuals across multiple states.
WMMHC officially notified affected individuals by mail starting July 17, 2025. That same day, a Notice of Data Security Incident was published on the organization’s website. Given the nature of the compromised data, the incident is considered high risk for identity theft, medical fraud, and unauthorized use of personal financial details.
As part of its response, WMMHC is offering free IDX identity protection services to impacted individuals. The organization has not publicly confirmed whether ransomware or any specific threat actor was involved.
According to the official notice from Western Montana Mental Health Center, “certain files were accessed without authorization” during a network disruption discovered in September 2024. The center later confirmed that personal and protected health information including Social Security numbers, medical data, and financial account details may have been involved. “The privacy and protection of personal and protected health information is a top priority,” WMMHC stated, noting that it has implemented new security measures and notified federal authorities.
Behavioral health organizations often hold detailed medical and psychological records, which are highly valuable on black markets and can be exploited for medical identity theft or targeted scams.
IDX is a third-party service offering credit monitoring, identity theft insurance, fraud recovery, and other tools to help individuals detect and respond to misuse of their personal information.
Breach response timelines can be extended due to forensic investigations, legal review, regulatory compliance steps, or the time required to identify affected individuals and verify the scope of the breach.