Western Montana Mental Health Center Data Breach
NOTICE: If you received a NOTICE OF DATA BREACH letter from Western Montana Mental Health Center, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options, or submit a confidential Case Evaluation form here.
On July 17, 2025, Western Montana Mental Health Center (“WMMH”), a healthcare provider based in Montana, reported a significant cybersecurity incident to the Attorney General’s Office of Maine (the “Data Breach”). The incident occurred on or about September 15, 2025, when unauthorized actors gained access to WMMH’s network systems. The subsequent investigation concluded on May 27, 2025, confirming that certain files may have been accessed or acquired without authorization. Approximately 86,758 people have been affected.
Recently, WMMH has begun sending data breach notification letters to those affected and is offering 12 months of complimentary identity protection and credit monitoring services through IDX. If you received a data breach notification letter from Western Montana Mental Health Center, it confirms that your data was affected by the Data Breach.
Headquartered in Missoula, Montana, WMMH provides mental health substance use treatment to western Montana residents since 1971. Offering 25 individual programs to patients of all age, WMMH serves more than 15,000 individuals annually.
WHAT INFORMATION IS INVOLVED IN THE WESTERN MONTANA MENTAL HEALTH CENTER DATA BREACH?
According to WMMH, the following types of information have been compromised:
- Full names
- Social Security numbers
- Driver’s license numbers
- Dates of birth
- State or federal identification numbers
- Medical information
- Financial account information
- Health insurance information
This information is called your Personally Identifiable Information (“PII”). It tells others about you and is considered part of your identity. Businesses are required to secure this information or risk facing statutory penalties, among other legal penalties. Stolen PII can be used by identity thieves to engage in fraudulent activity using your identity.
Personal medical information (a specific type of PII) is referred to as Protected Health Information (“PHI”). It is protected under both state and federal law. Healthcare providers and other businesses who handle PHI are required to protect that information. Like stolen PII, stolen PHI can be used by identity thieves to engage in fraudulent activity using your identity. Quite often, PII and PHI are used in conjunction by hackers.
The best way to protect yourself after a data breach is to sign up for credit and identity protection services as soon as possible.
California offers extra protections and legal rights to its residents through the California Consumer Privacy Act (“CCPA”).