Notice of Data Privacy Incident

Western Montana Clinic is committed to protecting the privacy and security of the information in our care. On August 1, 2025, we began mailing notification letters to certain patients whose information was involved in an incident.

We recently completed an investigation related to a phishing email incident. On April 15, 2025, we observed unusual activity in certain employee email accounts. We immediately began an investigation and worked with third-party experts to contain and remediate the issue. The investigation determined that there was occasional access to employee emails by an unauthorized individual between March 11, 2025 and April 15, 2025, during which time, the unauthorized actor attempted to change bank account information to redirect funds to the unauthorized individual's account. This incident was limited to email account access, and did not involve access to our electronic health records system or any other Western Montana systems.

Although the focus of the unauthorized individual's activities was on redirecting funds from us, we performed a data review to determine if any of the accessed emails and their corresponding attachments contained patient information. On June 3, 2025, we determined that these emails and attachments included patients' name and one or more of the following: patients' contact information, dates of birth, treating physician, internal identification numbers, dates of service, medication information, and treatment and/or diagnostic information. For a small subset of patients, the emails and attachments also included their Social Security numbers.

It is always a good idea for patients to remain vigilant and review statements received from their healthcare provider. If patients identify charges for services they did not receive, they should contact the healthcare provider immediately.

We take this matter very seriously. To help prevent a similar incident, we will continue to implement and evaluate enhanced safeguards and security measures to further protect our email system, and continue to provide training to our employees regarding phishing emails.

We have set up a designated incident response line to answer patient questions. Patients can call 877-250-2787, 9:00 AM to 9:00 PM Eastern Time, except for major U.S. holidays.