Active breach tracker Anaconda, Montana Disclosed May 19, 2025

Community Hospital of Anaconda Data Breach 2025: 21,243 Affected After Meow Ransomware Hit Rural Montana Critical-Access Hospital

Community Hospital of Anaconda, a 25-bed critical access hospital in southwest Montana, confirmed that the Meow ransomware group accessed its network between August 10 and August 12, 2024 and exfiltrated data covering 21,243 patients and staff including Social Security numbers, passport and military ID numbers, financial account data, and full clinical and insurance detail. The hospital filed with HHS OCR and mailed notification letters on May 19, 2025. Notably, no complimentary credit monitoring was offered.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 10, 2024

Meow ransomware group gains access to Community Hospital of Anaconda's network and begins exfiltrating data

Aug 12, 2024

Hospital detects unusual activity disrupting access to certain IT systems; investigation launched and FBI notified

Aug 12, 2024

Meow ransomware group claims responsibility, asserting 540 GB of stolen data and demanding a $120,000 ransom on its leak site

May 19, 2025

HIPAA breach report filed with HHS OCR (21,243 affected, Hacking/IT Incident, location: Network Server); individual notification letters mailed and substitute notice posted to the hospital website the same day

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license or state identification number Passport number

02

Health records

Don't expire and can't be reissued

Medical record number Treatment information

03

Contact & insurance

Phishing + targeted scams

Full name U.S. military identification number Financial account information Patient account number Medicare number Medicaid number Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Community Hospital of Anaconda — a 25-bed critical access hospital serving Anaconda-Deer Lodge County and the surrounding rural communities of southwest Montana — confirmed that an unknown actor (subsequently claimed by the Meow ransomware group) accessed its network between August 10 and August 12, 2024 and exfiltrated highly sensitive personal, clinical, financial, and government-identifier data covering 21,243 current and former patients and staff. The hospital filed the HIPAA breach report with the U.S. Department of Health and Human Services Office for Civil Rights and mailed individual notification letters on May 19, 2025, roughly nine months after the intrusion was discovered.

The data set is exceptionally broad. Beyond the usual name, date of birth, and Social Security number combination, the exposure included passport numbers, U.S. military identification numbers, driver’s license numbers, financial account information, Medicare and Medicaid numbers, and full treatment and health-insurance detail. The Meow ransomware group publicly claimed responsibility shortly after the intrusion, asserting it had stolen 540 GB of data and demanding a $120,000 ransom.

Timeline

  • August 10, 2024 — Meow ransomware group accesses Community Hospital of Anaconda’s network and begins exfiltrating data from network file servers over the next 48 hours.
  • August 12, 2024 — Hospital detects unusual activity disrupting access to certain IT systems. An internal investigation is launched, third-party forensic experts are engaged, and the Federal Bureau of Investigation is notified. The Meow group separately claims responsibility on its leak site, advertising 540 GB of stolen Community Hospital of Anaconda data for sale at $120,000.
  • August 2024 to May 2025 — Forensic investigation and data review proceed to identify what was accessed and to assemble the notification list. This nine-month gap between discovery and notification is on the long end of the HIPAA 60-day notification clock and reflects the complexity of reviewing exfiltrated network-server data for personal identifiers.
  • May 19, 2025 — HIPAA breach report filed with HHS OCR. Portal entry lists 21,243 individuals affected, categorized as a Hacking/IT Incident with location Network Server. Individual notification letters are mailed to patients and employees the same day. A substitute notice is posted at communityhospitalofanaconda.org/notice-of-data-security-incident/ and a dedicated hotline opens at 1-877-674-2894 (Monday–Friday, 7:00 AM to 7:00 PM Mountain Time).

What was exposed

Per the hospital’s substitute notice and the individual notification letters mailed on May 19, 2025, the data elements potentially exposed vary by individual but include the following.

  • Full name
  • Date of birth
  • Social Security number
  • Driver’s license or state identification number
  • U.S. military identification number
  • Passport number
  • Financial account information
  • Patient account number
  • Medical record number
  • Medicare number
  • Medicaid number
  • Treatment information
  • Health insurance information

The combination of Social Security number, passport number, and military ID in a single exposure is unusually severe. Each of those identifiers carries its own fraud surface — SSN for new-account and tax-refund fraud, passport for travel and immigration fraud, military ID for benefits fraud against the Department of Veterans Affairs and TRICARE — and the three together substantially raise the risk profile for affected individuals.

Sensitive-population considerations (rural critical-access patients)

Community Hospital of Anaconda is a 25-bed critical access hospital under the Medicare designation, serving Anaconda (population roughly 9,000) and the surrounding rural communities of Deer Lodge County and the upper Clark Fork valley. CHA is effectively the only inpatient hospital for a wide rural service area; an exposure of 21,243 individuals therefore represents most of the catchment population, including a meaningful share of every demographic in the region.

Notification logistics are harder in rural counties. The standard breach-response playbook — read your letter, log into three credit-bureau websites, complete online identity verification, place a credit freeze, enroll in monitoring with an activation code — assumes reliable broadband, a personal device, and comfort with online authentication. Many rural and older patients in southwest Montana do not have all three. The three nationwide consumer reporting agencies accept freeze requests by mail and by phone, which avoids the broadband and online-verification dependency, and CHA’s hotline at 1-877-674-2894 can answer questions about the notice itself.

Critical-access exposure has knock-on consequences. Beyond the individual fraud risk, the data set includes financial account information and clinical detail for what is effectively the local workforce, retirees, and miners’ health-plan population, including likely a significant Indian Health Service-eligible cohort and military retirees (the inclusion of military ID numbers in the exposed-data list is consistent with that). Affected individuals enrolled in TRICARE or the VA should monitor their benefits statements as well as standard consumer credit.

What the entity is offering

This is where the response diverges from the norm. Community Hospital of Anaconda did not offer complimentary credit monitoring or identity-theft protection services in its notification, according to the entity’s own substitute notice and independent coverage by Comparitech. Instead, the hospital’s notice provides self-service guidance: instructions on obtaining a free annual credit report at annualcreditreport.com, instructions on placing fraud alerts and security freezes with the three nationwide bureaus, and a referral to the Federal Trade Commission’s identity-theft resources at identitytheft.gov.

For an exposure that includes Social Security numbers, passport numbers, military IDs, and financial account information, the absence of complimentary credit monitoring is notable. It places the entire remediation burden — and any out-of-pocket cost — on affected individuals.

What the hospital did offer:

  • A dedicated call center hotline at 1-877-674-2894, open Monday through Friday, 7:00 AM to 7:00 PM Mountain Time, for questions about the incident.
  • Main hospital line at 406-563-8500 and a contact email at [email protected].
  • Guidance and resource links for free credit reports, credit freezes, fraud alerts, and the FTC’s identity-theft response site.
  • Confirmation of FBI notification and stated cooperation with law enforcement.

Class-action posture

As of mid-May 2026, no consolidated class-action complaint has been publicly docketed against Community Hospital of Anaconda. Plaintiffs’ firms moved quickly into the investigative phase after the May 19, 2025 disclosure:

  • Strauss Borrelli PLLC opened a public investigation announcement on May 20, 2025, the day after the OCR filing, soliciting affected individuals to discuss legal rights and potential remedies. The firm is in the investigative phase; no complaint has been filed.
  • ClassAction.org’s plaintiffs’-firm panel opened a public investigation page in May 2025 and has since marked the investigation as concluded with the standard “Attorneys working with ClassAction.org have finished their investigation into this matter” language, indicating that no panel member filed a complaint.

Any consolidated class action covering Community Hospital of Anaconda would be filed in the U.S. District Court for the District of Montana (the federal district covering Anaconda). As of this update, no such case is publicly docketed. The combination of a severe data set, a long notification gap, and the absence of complimentary credit monitoring is the kind of fact pattern plaintiffs’ firms typically build complaints around, so this posture may change. This page will be updated if a complaint is filed and a case number issues.

What to do

If you received a notification letter from Community Hospital of Anaconda — whether as a patient, current or former employee, or family member who has received care at CHA — treat this as a high-severity exposure and stack defenses. The hospital did not offer credit monitoring, so you will need to do this on your own.

  1. Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and blocks new-account fraud. With Social Security numbers in the exposed data set, this is the single highest-leverage step. Freezes can be placed online, by phone, or by mail.
  2. Place a fraud alert as well if you do not want the operational friction of a full freeze. A fraud alert lasts one year, is free, and requires lenders to verify your identity before opening new credit. You only need to contact one bureau and that bureau notifies the other two.
  3. Request an IRS Identity Protection PIN (IP PIN) at irs.gov/ippin. Free. With an SSN exposed, this prevents someone from filing a fraudulent tax return in your name.
  4. If your passport number was in the exposure, monitor for notices of address changes or travel activity you did not initiate. Report any suspected passport fraud to the U.S. Department of State’s Passport Fraud Unit.
  5. If your military ID number was in the exposure and you are a veteran or active duty, monitor your VA and TRICARE benefits statements. Report suspected benefits fraud to the VA Office of Inspector General hotline and to TRICARE.
  6. Watch your bank and credit card statements for unauthorized charges. Financial account information was in the exposed data set. Consider asking your bank to issue a new account number if your full account number was disclosed.
  7. Watch Explanation of Benefits statements from your health plan for services you did not receive. Treatment information and insurance numbers were exposed, which raises the risk of medical identity theft.
  8. Be skeptical of unsolicited outreach claiming to be from Community Hospital of Anaconda, the FBI, or “the FTC.” Threat actors routinely follow large breaches with targeted phishing using the leaked identifiers. CHA’s only official contact channels are the hotline at 1-877-674-2894, the main hospital line at 406-563-8500, and [email protected].
  9. Document everything. If a class action is later filed, evidence of any out-of-pocket losses, time spent on remediation, or downstream identity-theft incidents will matter to a claim.

Sources

One-sentence confirmation: this page synthesizes seven sources, every fact stated above appears in at least two of them, and unsourced detail has been omitted.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.