By HFT Staff

Rocky Mountain Associated Physicians, P.C. is notifying affected individuals of a data security incident that may have involved certain individuals’ personal, protected health and/or financial information 

At an unknown date (no earlier than October 30, 2025), an advanced malicious cyber actor was able to gain unauthorized access to certain systems within Rocky Mountain’s databases, including its patient database and other data files. On February 2, 2026, Rocky Mountain confirmed that certain patient information may have been compromised as a result of this incident. 

The information involved may have included individuals’ names, dates of birth, Social Security numbers, addresses, contact information, medical record numbers, diagnosis and treatment information, insurance information and financial information (e.g., credit or debit card numbers and PIN numbers). Not all data elements were necessarily involved for every affected individual. 

Upon discovery that personal health and financial information had been compromised, Rocky Mountain promptly took steps to secure its systems, engaged a third-party forensic investigation firm to conduct a thorough review of the incident and notified law enforcement. The US Department of Health and Human Services Office for Civil Rights and the Internet Crime Complain Center (IC3) have also been notified.  

It is continuing to implement additional safeguards to help prevent a recurrence of such an attack and to protect the privacy of Rocky Mountain Associated Physicians patients.