Idaho Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Idaho's rapid transformation into a technology hub has fundamentally changed the state's cybersecurity risk profile. Boise — frequently called the "Silicon Valley of the Northwest" — is home to Micron Technology, one of the world's largest semiconductor manufacturers, along with significant operations from HP, Albertsons Companies, and a growing cluster of technology startups. This technology concentration, combined with Idaho's traditional strengths in agriculture and food processing, creates a diverse attack surface that draws attention from both financially motivated cybercriminals and nation-state threat actors targeting the semiconductor supply chain.

The incidents documented below reveal how Idaho organizations across multiple sectors have been compromised. Each case carries practical lessons about the security gaps that persist in many organizations today. For an in-depth look at the risks driving these incidents, see our analysis of the Idaho cyber threat landscape. Whether you operate a small technology firm in Boise or manage IT for an agricultural cooperative in eastern Idaho, understanding this history is essential for building an effective security strategy.

Major Cyber Incidents in Idaho: A Timeline

2011 — Idaho State University Data Breach

Idaho State University disclosed a breach involving the theft of personal data from approximately 50,000 current and former students and employees. The breach was caused by a vulnerability in the university's web application that allowed unauthorized access to a database containing names, Social Security numbers, and dates of birth. The university offered credit monitoring to affected individuals and implemented additional web application security controls. The incident was an early warning about the cybersecurity challenges facing Idaho's higher education institutions.

2013 — Idaho State University HIPAA Violation

The U.S. Department of Health and Human Services Office for Civil Rights fined Idaho State University $400,000 for HIPAA violations related to the university's Pocatello Family Medicine clinic. The violation involved the clinic's failure to secure electronic protected health information for approximately 17,500 patients over a ten-month period when firewall protections at the clinic were disabled. The case demonstrated that even university-affiliated healthcare facilities face significant enforcement action for basic security failures.

2017 — Boise-Based St. Luke's Health System Phishing Incident

St. Luke's Health System, one of Idaho's largest healthcare providers with facilities across the Treasure Valley, disclosed that a phishing attack compromised employee email accounts containing patient information. The breach affected patient names, dates of birth, medical record numbers, and in some cases clinical and insurance information. St. Luke's implemented enhanced email security controls and expanded employee phishing awareness training in response.

2019 — Idaho Central Credit Union Data Incident

Idaho Central Credit Union, the state's largest credit union, notified members of a security incident involving unauthorized access to member account information through a third-party vendor system. While the credit union stated that its core banking systems were not compromised, the incident exposed the supply chain risks inherent in financial services technology and prompted the institution to conduct a comprehensive review of its third-party vendor security requirements.

2021 — Idaho Department of Health and Welfare COVID-19 Data Exposure

During the COVID-19 pandemic, the Idaho Department of Health and Welfare disclosed that a misconfiguration in a public-facing dashboard had inadvertently exposed personal information of Idaho residents who had received COVID-19 tests. The exposed data included names and dates of birth. The department corrected the misconfiguration within hours of discovery, but the incident highlighted the cybersecurity risks created by the rapid deployment of public health technology during the pandemic.

2022 — Albertsons Companies Credential Theft Campaign

Albertsons Companies, headquartered in Boise, faced a credential-stuffing campaign targeting customer accounts on its online grocery platforms including Albertsons, Safeway, and Jewel-Osco. While the company stated that its internal systems were not breached, attackers used previously stolen credentials from other breaches to access customer accounts, view order histories, and in some cases use stored payment methods. The incident underscored the persistent risk of credential reuse and the importance of account security measures for retail and grocery platforms.

2023 — Idaho National Laboratory Data Breach

In November 2023, the Idaho National Laboratory (INL), a U.S. Department of Energy facility that conducts nuclear and energy research, confirmed that a data breach had exposed the personal information of more than 45,000 current and former employees. The hacktivist group SiegedSec claimed responsibility, stating they had accessed INL's Oracle HCM cloud-based human resources system. Compromised data included names, Social Security numbers, dates of birth, bank account information, and home addresses. The breach was particularly significant given INL's role in national security research and nuclear energy development.

2024 — Kootenai Health Ransomware Attack

Kootenai Health, a major healthcare provider in northern Idaho based in Coeur d'Alene, suffered a ransomware attack in early 2024 that compromised the personal and medical information of approximately 464,000 individuals. The 3AM ransomware group claimed responsibility for the attack, which exposed patient names, Social Security numbers, dates of birth, medical records, and health insurance information. The breach was one of the largest healthcare data incidents in Idaho history and prompted the health system to implement significant security infrastructure upgrades.

Idaho's Data Breach Notification Law

Idaho's data breach notification requirements are codified in Idaho Code Section 28-51-104 through 28-51-107. The law requires any agency, individual, or commercial entity that conducts business in Idaho and owns or licenses computerized personal information of Idaho residents to notify affected individuals within 30 days of discovering a breach. This 30-day notification window, enacted through a 2021 amendment, made Idaho one of the states with a specific and relatively short notification deadline.

Personal information under the Idaho statute includes a resident's name combined with Social Security number, driver's license or state ID number, financial account number with access credentials, or medical and health insurance information. If a breach affects more than 500 Idaho residents, the entity must also notify the Idaho Attorney General's office. Violations may result in civil penalties of up to $25,000 per breach. For complete compliance guidance, see our Idaho data privacy and compliance guide.

Which Idaho Industries Are Most Targeted?

Technology and Semiconductors

Boise's technology corridor, anchored by Micron Technology and HP, processes enormous volumes of intellectual property and research data. Micron, as one of only three major global DRAM manufacturers, is a high-value target for nation-state actors — particularly those seeking semiconductor manufacturing processes and chip design data. The CHIPS and Science Act has further elevated the strategic importance of Idaho's semiconductor industry, attracting both investment and adversary attention.

Healthcare

St. Luke's Health System, Saint Alphonsus Health System, and Kootenai Health serve as Idaho's major healthcare providers. Healthcare data remains among the most valuable on dark web markets, and Idaho's healthcare organizations face the same ransomware and phishing threats as their counterparts nationwide. The 2024 Kootenai Health breach demonstrated that even well-resourced Idaho health systems are vulnerable to sophisticated ransomware operations.

National Laboratories and Government

Idaho National Laboratory is one of the most important research facilities in the U.S. Department of Energy complex, conducting nuclear energy research, cybersecurity research, and critical infrastructure protection work. The 2023 INL breach highlighted the unique risks facing government research facilities that handle sensitive national security information and employ thousands of cleared personnel.

Agriculture and Food Processing

Idaho is the top U.S. producer of potatoes and a major producer of dairy, barley, and trout. Companies like J.R. Simplot Company operate large-scale food processing operations that rely on industrial control systems and supply chain technology. As these operations become more connected, they present operational technology attack surfaces that are increasingly targeted by ransomware operators and other threat actors. Manufacturing IT security is a critical concern for Idaho's food processing sector.

What Idaho Businesses Must Do After a Breach

Idaho's 30-day notification deadline creates urgency that many states do not impose. When an Idaho business discovers a breach, immediate action is essential.

• Contain the incident by isolating affected systems and preserving forensic evidence

• Engage qualified incident response professionals to determine the scope and nature of the compromise

• Notify affected individuals within 30 days of discovery with a written notice describing the breach, data types affected, and protective steps

• Notify the Idaho Attorney General if 500 or more Idaho residents are affected

• Notify credit reporting agencies if required based on the type of compromised data

• Document all response actions for regulatory compliance and potential litigation defense

Having managed IT security services in place before an incident dramatically improves detection speed and response quality, often making the difference between a contained incident and a catastrophic breach.

How to Protect Your Idaho Business Before an Incident

Idaho businesses should build their security programs based on their specific industry risks. Technology companies need to prioritize intellectual property protection and code repository security. Healthcare organizations must focus on HIPAA compliance and ransomware resilience. Agricultural operations need to address operational technology security alongside traditional IT.

• Deploy multi-factor authentication on all systems, with phishing-resistant methods for high-risk accounts

• Implement endpoint detection and response across all workstations and servers

• Maintain offline, encrypted backups tested quarterly for restoration capability

• Conduct regular employee security training with simulated phishing exercises

• Segment networks to limit lateral movement if an attacker gains initial access

• Review and test your incident response plan at least annually through tabletop exercises

For a foundational understanding of how outsourced security and IT management works, explore our guide to what managed IT services include.

Frequently Asked Questions

What is the largest data breach in Idaho history?

The 2024 Kootenai Health ransomware attack, which compromised data of approximately 464,000 individuals, is among the largest. The 2023 Idaho National Laboratory breach affecting over 45,000 employees was also highly significant due to INL's national security role.

How long does an Idaho business have to report a data breach?

Idaho law requires notification to affected individuals within 30 days of discovering a breach. If 500 or more Idaho residents are affected, the Idaho Attorney General must also be notified. Delays may be permitted if law enforcement determines notification would impede a criminal investigation.

Is Micron Technology a target for cyberattacks?

As one of only three major DRAM manufacturers globally, Micron Technology is a high-value target for nation-state espionage, particularly from adversaries seeking semiconductor manufacturing processes and intellectual property. The CHIPS and Science Act has further elevated the semiconductor industry's strategic importance and the attention it receives from threat actors.

Does the Idaho National Laboratory breach affect public safety?

The 2023 INL breach compromised employee personal information through the human resources system, not operational or research systems. INL stated that nuclear research operations were not affected. However, the exposure of personal data for cleared personnel creates potential counterintelligence concerns that the Department of Energy takes seriously.

Are Idaho's data breach penalties significant?

Idaho imposes civil penalties of up to $25,000 per breach for noncompliance with notification requirements. While this may seem modest compared to states like California, businesses also face potential lawsuits from affected individuals, regulatory action from federal agencies for industry-specific violations, and reputational damage that can far exceed statutory penalties.

What cybersecurity resources does Idaho provide to businesses?

The Idaho Office of Information Technology Services provides guidance and resources for state agencies. The Idaho Small Business Development Center offers cybersecurity workshops and consulting for small businesses. Additionally, Idaho participates in the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides threat intelligence and incident response support to government entities.