Montana Healthcare Data Breach Notification Law: Requirements, Deadlines, and Who You Must Notify

The Montana healthcare data breach notification law sets clear expectations for how you respond when protected data is exposed. This guide explains what counts as a breach, which personal information triggers notice, who you must notify, and the deadlines and methods you must follow. It is tailored for healthcare providers, health plans, business associates, and third-party data custodians handling Montana residents’ data.

Definition of Data Breach

Under Montana law, a data breach generally means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Good‑faith acquisition by your employee or agent for a legitimate purpose is not a breach if the data is not misused or further disclosed.

Encrypted or redacted data typically falls outside breach scope unless the encryption key or security credentials were also compromised. If you reasonably believe personal information was acquired by an unauthorized person, treat the event as a breach and begin your investigation and consumer notification planning immediately.

Personal Information Elements

Personal information (PI) that triggers Montana consumer notification focuses on data elements that, if exposed, create elevated identity theft or fraud risk. PI commonly includes a resident’s first name or first initial and last name in combination with any one of the following:

• Social Security number.
• Driver’s license or state identification number.
• Financial account, credit card, or debit card number with any required security code, access code, or password permitting account access.
• Medical information (e.g., diagnosis, treatment, or medical history) or health insurance policy/beneficiary numbers relevant to personal information security in healthcare settings.
• Biometric data used to authenticate identity (e.g., fingerprint, voiceprint, retina or iris image).
• Username or email address with password or security question/answer that permits access to an online account.

If any of these elements are involved, evaluate the likelihood of unauthorized acquisition and potential misuse to determine next steps under the Montana healthcare data breach notification law.

Notification Requirements

You must provide consumer notification to affected Montana residents without unreasonable delay and no later than 30 days after discovery of a breach, subject to any law enforcement delay. For HIPAA‑regulated incidents involving unsecured protected health information, you must also meet HIPAA’s content and timing rules; when timelines differ, follow the shorter (stricter) deadline.

Core content of the consumer notice

• What happened, including approximate breach date and discovery date.
• What types of personal information were involved.
• What you are doing to investigate, mitigate harm, and improve safeguards.
• What steps the resident can take to protect themselves (e.g., fraud alerts, credit monitoring, password changes).
• How to reach you for more information (toll‑free number, email, or mailing address).

If more than 1,000 Montana residents are notified, you must also notify nationwide consumer reporting agencies of the timing, distribution, and content of the consumer notification. Maintain detailed records of your investigation, decisions, and notices as part of your compliance file.

Notification Methods

Acceptable notification methods include:

• Written notice sent to the resident’s last known mailing address.
• Electronic notice consistent with the federal E‑SIGN Act when the resident has consented or the notice is otherwise legally valid in electronic form.
• Telephone notice when appropriate and when it directly reaches the affected person.

For breaches involving online account credentials (e.g., a patient portal username and password), you may use electronic notice that directs the resident to promptly change their password and any similar passwords reused elsewhere, and to enable multifactor authentication when available.

Substitute Notice Criteria

When direct consumer notification is impracticable, substitute notice may be used. Montana’s substitute notice criteria allow this approach if any of the following are true:

• The cost of direct notice would exceed $250,000; or
• The affected class exceeds 500,000 persons; or
• You do not have sufficient contact information to provide direct notice.

How to provide substitute notice

• Email notice to all residents for whom you have a valid email address;
• Conspicuous posting of the notice on your website; and
• Notification to major statewide media, ensuring broad consumer notification coverage.

Document why substitute notice criteria were met and how you executed each element to satisfy Montana’s substitute notice criteria.

Attorney General Notification

When you provide consumer notification to Montana residents, you must also provide notice to the Montana Attorney General Consumer Protection office. Send an electronic copy of the consumer notice and include key details such as the number of Montana residents affected, the types of personal information involved, the breach and discovery dates, and your point of contact.

Provide this Attorney General notification without unreasonable delay and within the same 30‑day window, unless a law enforcement delay applies. Preserve correspondence and confirmation of submission in your compliance records.

Third-Party Notification

Third‑party data custodians and service providers that maintain personal information on behalf of a covered entity must notify the data owner or licensee without unreasonable delay after discovering a breach. Your notice should include sufficient information to allow the owner to comply with its consumer notification, Attorney General notification, and any HIPAA requirements.

Business associate agreements should spell out incident reporting timelines, cooperation duties, and allocation of tasks like consumer notification, call‑center management, and remediation. Regardless of contract terms, Montana law expects timely escalation so the owner can meet statutory deadlines.

FAQs

What constitutes a data breach under Montana law?

A breach occurs when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of a Montana resident’s personal information. Good‑faith access by your employee or agent is not a breach if the data is not misused or disclosed, and encrypted data is generally excluded unless the key was also compromised.

When must affected residents be notified?

You must notify affected Montana residents without unreasonable delay and no later than 30 days after discovering the breach, unless a law enforcement delay is in place. If HIPAA also applies, follow the shortest applicable timeframe and include all required content elements.

How is substitute notice determined?

Substitute notice is permitted when direct notice is impracticable—specifically when the cost exceeds $250,000, the affected class is over 500,000 people, or you lack sufficient contact information. It must include email notice (if available), a conspicuous website posting, and notice to major statewide media.

What are the notification requirements for third parties?

Third‑party data custodians and service providers must notify the data owner or licensee without unreasonable delay after discovering a breach and share enough detail for the owner to meet consumer notification, Attorney General notification, and any HIPAA obligations.