Data breaches occur in an organizational context when an unauthorized party accesses personal information for its interests. A breach can occur accidentally by internal mishaps or intentionally by cybercriminals seeking to sell precious personal information. This may happen through hacking, malware, ransomware, denial of service, and typical identity theft. Montana is one of the least populated states, ranking 48th in the number of data breach victims yearly. That said, it incurred $45,554,368 in losses in 2023 from data breaches. Most of the areas targeted were in the financial and healthcare sectors.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
Identity Theft
Prizes, Sweepstakes and Lotteries
Telephone and Mobile Services
Online Shopping and Negative Reviews
Debt Collection
Banks and Lenders
Credit Bureaus, Iformation Furnishers and Report Users
Auto Related
Internet Services

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Bank Fraud
Employment or Tax-Related Fraud
Loan or Lease Fraud
Phone or Utilities Fraud
Government Documents or Benefits Fraud

Montana's Recent Biggest Data Breaches

January, LLC Data Breach

In January 2024, LoanDepot discovered suspicious activity within its systems. The company immediately moved to contain the incident, contact law enforcement, and launch an investigation.49,134 Montana residents were affected by the data breach incident. The initial assessment revealed that names, addresses, financial account numbers, Social Security numbers, birth dates, and phone numbers were exposed. LoanDepot worked with an external expert to assess the scope of the threat and did not uncover any evidence that any of this information was misused for fraud or identity theft. They did provide 24 months of identity protection and credit monitoring for free from Experian.


Fred Hutchinson Cancer Centre Data Breach

In November 2023, the cancer center detected unauthorized activity in some parts of its network. According to the notice letter, they initiated an investigation with the assistance of an external forensic company. The investigation revealed that the criminal party accessed the network between the 19th and 25th of November. 3,183 residents were affected during the breach. The information exposed included names, Social Security numbers, addresses, birth dates, health insurance data, clinical information, and lab results. Fred Hutchinson indicated it considers the security of its patients as a top priority and they are continually updating their security. The center also offered credit monitoring services to those affected for twelve months.


Nationstar Mortgage LLC Data Breach

Nationstar Mortgage discovered some suspicious activity in their network in October 2023. The company immediately initiated response protocols, such as an investigation to assess the scope of the incident. Nationstar also contacted local law enforcement agencies to help with the investigation after shutting down its systems. The results showed unauthorized access between October 30th and November 1st. Information including names, phone numbers, addresses, Social Security details, birth dates, and account numbers were compromised during the attack. Nationstar Mortgage indicated they are monitoring the dark web and have not yet seen evidence that the data related to the incident was shared or otherwise misused. The company provided notification letters to the 36,903 individuals affected by the incident and provided 24 months of credit monitoring and identity protection services.


Postmeds Incorporated Data Breach

On August 31st, 2023, PostMeds discovered unauthorized activity on its network when the actor accessed a subset of files utilized for pharmacy management and fulfillment. The company immediately initiated an investigation to determine the scope of the damage. Some of the information exposed may have included demographics, medication types, and the attending physicians. PostMeds reiterated that Social Security data was not involved during the incident because the company did not receive this information. The PostMeds incident affected 6,703 people. The organization issued notification letters to all affected and claimed it enhanced its security protocols to safeguard against a reoccurrence of the data breach event.


Zeroed-In Technologies LLC

In August 2023, Zeroed-In determined suspicious activity was happening to some of its systems. They immediately launched an investigation to assess the scope of the breach and if it existed. Zeroed-In determined there was an unauthorized entry to its accounts at that time. The information accessed entailed names, birth dates, and Social Security data. The company is taking steps to secure the systems and report the incident to law enforcement agencies. Zeroed-In stated they were also reviewing existing policies and initiated security measures to prevent something similar from occurring in the future. The 5,049 affected were also provided with 12 months of credit monitoring and identity theft protection services free of charge.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

State law mandates that all businesses that handle personal information contact the relevant Montana residents in the event of a data breach. They must also notify the Attorney General's Office of Consumer Protection even if one person was affected. Disclosure of the breach has to be made without any unreasonable delay. According to state regulations, personal information is defined as first and last names in combination with Social Security details, driver's licenses, financial account data, medical records, and taxpayer identification numbers.

Notices issued to residents may be sent via letter, telephone, or electronic means. Electronic or email notices may be forwarded if they are consistent with the provisions concerning electronic records. Substitute notices can also be issued if the entity does not have sufficient contact details to alert the individuals. Similarly, this provision is allowed if the notice cost is more than $250,000 or the number of those to be alerted exceeds 500,000. Substitute notices may be delivered by email notice, conspicuous posting of the notice on the business's website, and notifying statewide media outlets. Delays to inform the residents are also allowed if the process will interfere with an ongoing law enforcement investigation. However, the notification must be made when the law enforcement agency indicates that the investigation is completed or if it will not compromise the investigation.


  • Montana Code Annotated 2023, 30-14-1704 on Computer Security Breach deals with the definitions of personal information and the requirements of businesses within the state towards disclosing data breaches to the relevant consumers.
  • The Montana Consumer Data Privacy Act claims that by January 2025, consumers should be able to opt out of any processing of personal data for targeted advertising or any sale of the data through opt-out preferences signals that are issued with the consent of the consumer.