New Mexico Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

New Mexico occupies a distinctive position in the national cybersecurity landscape. The state is home to two of the nation's most important nuclear weapons research facilities — Los Alamos National Laboratory and Sandia National Laboratories — as well as White Sands Missile Range and Kirtland Air Force Base. This concentration of classified federal operations makes New Mexico one of the most targeted states for nation-state cyber espionage. Beyond the defense sector, New Mexico's economy includes a significant healthcare sector, a growing oil and gas industry in the Permian Basin, and tribal government operations that each face their own cybersecurity challenges.

The incidents documented below represent real breaches and cyberattacks that have affected New Mexico organizations. Each case reveals patterns that continue to drive breaches across the state today. For a comprehensive view of the threat landscape facing New Mexico organizations, see our New Mexico cyber threat analysis.

Major Cyber Incidents in New Mexico: A Timeline

2006 — Los Alamos National Laboratory Data Incident

Los Alamos National Laboratory (LANL) experienced one of several security incidents that drew national attention when a subcontractor was found to have taken classified documents and electronic storage media home, resulting in the discovery of sensitive data outside secured areas. While primarily a physical security incident, the event exposed weaknesses in the laboratory's data handling controls and prompted DOE to significantly strengthen cybersecurity requirements for national laboratory contractors. LANL has faced multiple security incidents over the years, each reinforcing the extraordinary difficulty of securing environments where highly classified research intersects with large-scale computing infrastructure.

2011 — New Mexico Human Services Department Medicaid Breach

The New Mexico Human Services Department reported a breach involving Medicaid recipient data after a laptop containing unencrypted personal information was stolen from an employee's vehicle. The breach exposed names, Social Security numbers, dates of birth, and Medicaid identification numbers for thousands of New Mexico residents. The incident led to statewide policy changes requiring encryption on all portable devices containing personal information and prompted the department to accelerate its migration to centralized, encrypted data storage.

2015 — Presbyterian Healthcare Services Email Compromise

Presbyterian Healthcare Services, one of New Mexico's largest health systems, disclosed a phishing attack that compromised employee email accounts containing patient information. The breach affected approximately 12,000 patients, exposing names, dates of birth, medical record numbers, and limited clinical information. Presbyterian implemented enhanced email security controls and expanded phishing awareness training across its workforce following the incident.

2017 — Bernalillo County Ransomware Incident

Bernalillo County, which includes Albuquerque and is New Mexico's most populous county, experienced a ransomware attack that disrupted county government operations. The attack affected administrative systems and temporarily impacted the county's ability to process certain transactions. While the county did not pay the ransom, the incident required weeks of recovery work and highlighted the vulnerability of local government IT infrastructure in New Mexico.

2019 — Lovelace Health System Data Breach

Lovelace Health System, which operates multiple hospitals and clinics across Albuquerque, disclosed a data breach after discovering that an employee had improperly accessed patient records over an extended period. The breach involved names, dates of birth, Social Security numbers, and medical treatment information. The incident underscored the persistent challenge of insider threats in healthcare environments, where clinical staff require broad access to patient records but organizations must maintain strict audit controls to detect misuse.

2022 — Bernalillo County Government Ransomware Attack

In January 2022, Bernalillo County suffered a second major ransomware attack that was significantly more disruptive than the 2017 incident. The attack shut down most county government systems, closed government buildings to the public, and disrupted operations at the Metropolitan Detention Center. The county declared an emergency and reported that the attack affected everything from real estate transactions to probate filings. Recovery took months and required substantial investment in new security infrastructure. The incident became a cautionary case study for local governments operating with aging IT systems and limited cybersecurity budgets.

2023 — Albuquerque Public Schools Ransomware Attack

Albuquerque Public Schools (APS), the largest school district in New Mexico with approximately 74,000 students, suffered a ransomware attack in January 2023 that forced the district to cancel classes for two days. The attack encrypted critical systems including the student information system used for attendance, emergency contacts, and school bus routing. APS confirmed that student personal data had been accessed, including names, Social Security numbers, dates of birth, and addresses. The incident highlighted the acute vulnerability of K-12 school systems that often operate with minimal cybersecurity resources while maintaining sensitive data for tens of thousands of students and families.

2024 — Eastern New Mexico Medical Center Breach

Eastern New Mexico Medical Center in Roswell disclosed a data breach after detecting unauthorized access to its computer systems. The breach exposed patient information including names, Social Security numbers, health insurance details, and medical treatment records. The incident affected patients across southeastern New Mexico and demonstrated how rural hospitals face significant cybersecurity challenges due to limited IT staff and budgets while still maintaining the same types of sensitive data as larger urban health systems.

New Mexico's Data Breach Notification Law

New Mexico's data breach notification requirements are codified in the New Mexico Data Breach Notification Act (NMSA 1978, Sections 57-12C-1 through 57-12C-12), which was enacted in 2017 and made New Mexico the 48th state to adopt breach notification legislation. The law requires any person or business that owns or licenses personal identifying information of New Mexico residents to notify affected individuals within 45 days of discovering a security breach.

If the breach affects more than 1,000 New Mexico residents, the business must also notify the New Mexico Attorney General and major credit reporting agencies. Personal identifying information under the statute includes a person's name combined with Social Security numbers, driver's license numbers, government-issued identification numbers, financial account credentials, or biometric data. Violations are enforced under the Unfair Practices Act, with penalties of up to $150,000 per breach. For a complete overview of New Mexico's legal requirements, see our New Mexico compliance and data privacy guide.

Which New Mexico Industries Are Most Targeted?

Federal Government and National Laboratories

Los Alamos National Laboratory, Sandia National Laboratories, White Sands Missile Range, and Kirtland Air Force Base represent the highest-value targets in New Mexico from a nation-state perspective. The defense supply chain supporting these installations — hundreds of contractors and subcontractors across the state — faces persistent advanced persistent threat activity from Chinese, Russian, and other state-sponsored cyber groups seeking access to classified nuclear weapons research, missile defense technology, and space systems data.

Healthcare

New Mexico's healthcare sector, including Presbyterian Healthcare Services, Lovelace Health System, and University of New Mexico Health, processes significant volumes of protected health information. Rural hospitals and clinics in areas like southeastern New Mexico face particular challenges, operating with limited IT staff while serving geographically dispersed patient populations. Healthcare cybersecurity in New Mexico must account for both urban and rural threat profiles.

Energy — Oil and Gas

New Mexico's share of the Permian Basin, centered in Lea and Eddy Counties, has made the state one of the largest oil-producing states in the nation. Energy companies face threats to both IT systems and operational technology (OT) that controls drilling, refining, and pipeline operations. Disruption of OT systems can have safety and environmental consequences beyond financial losses.

State and Local Government

Bernalillo County's two ransomware attacks (2017 and 2022) and the Albuquerque Public Schools attack demonstrate that New Mexico's state and local government entities are frequent ransomware targets. Limited budgets, aging infrastructure, and the difficulty of recruiting cybersecurity talent to government positions create persistent vulnerabilities that attackers exploit.

What New Mexico Businesses Must Do After a Breach

New Mexico's 45-day notification deadline is among the stricter timelines in the nation. Businesses must begin the response process immediately upon discovering a breach. Key steps include isolating affected systems, engaging forensic investigators to determine the scope and cause, assessing which personal identifying information was compromised, and preparing notification to affected individuals within the 45-day window.

If the breach affects more than 1,000 New Mexico residents, the business must also notify the New Mexico Attorney General and the major credit reporting agencies. Organizations that have managed IT security services in place typically detect breaches earlier and contain them faster, reducing both the scope of the incident and the complexity of the notification process.

How to Protect Your New Mexico Business Before an Incident

New Mexico businesses should implement security measures that reflect the state's specific threat environment. For organizations in the defense supply chain, this means compliance with NIST SP 800-171 and preparation for CMMC certification. For healthcare organizations, HIPAA compliance provides a regulatory baseline but should be supplemented with advanced threat detection capabilities. For small businesses across all sectors, foundational security controls are essential.

Every New Mexico organization should understand what managed IT services can provide and evaluate whether outsourcing security monitoring and response is more effective than building those capabilities internally, particularly given the state's cybersecurity talent challenges.

• Multi-factor authentication on all email, VPN, and remote access systems

• Endpoint detection and response (EDR) on all workstations and servers

• Regular backup testing with offline or air-gapped backup copies

• Employee phishing training at least quarterly, with New Mexico-specific simulations

• Incident response plan documented and tested with tabletop exercises annually

Frequently Asked Questions

What is New Mexico's data breach notification deadline?

New Mexico law requires businesses to notify affected individuals within 45 days of discovering a data breach. If the breach affects more than 1,000 New Mexico residents, the business must also notify the New Mexico Attorney General and major credit reporting agencies within the same timeframe.

Has New Mexico experienced nation-state cyberattacks?

New Mexico's national laboratories and defense installations are persistent targets for nation-state cyber espionage. Los Alamos National Laboratory and Sandia National Laboratories have experienced multiple security incidents over the years. The broader defense contractor ecosystem across the state also faces advanced persistent threats from state-sponsored groups.

Why was Bernalillo County attacked by ransomware twice?

Bernalillo County experienced ransomware attacks in both 2017 and 2022. The recurrence reflects the persistent challenges facing local governments that operate with limited cybersecurity budgets, aging IT infrastructure, and difficulty recruiting security talent. The 2022 attack was significantly more disruptive, forcing the county to declare an emergency and shut down most government operations.

Are New Mexico's rural hospitals at higher cybersecurity risk?

Yes. Rural hospitals in New Mexico face elevated cybersecurity risk because they typically operate with smaller IT teams, tighter budgets, and older infrastructure while still maintaining the same types of sensitive patient data as urban hospitals. Geographic isolation can also delay incident response and complicate recovery efforts.

How does New Mexico's oil and gas industry face cybersecurity threats?

New Mexico's Permian Basin oil and gas operations face threats to both information technology and operational technology systems. Ransomware targeting IT systems can halt business operations, while attacks on OT systems that control drilling, pipeline, and refining operations can create safety and environmental hazards. The convergence of IT and OT networks has expanded the attack surface for energy companies across southeastern New Mexico.

What cybersecurity requirements apply to New Mexico defense contractors?

Defense contractors in New Mexico that handle Controlled Unclassified Information must comply with NIST SP 800-171 and will need CMMC certification as the Department of Defense phases in mandatory requirements. Given the concentration of national laboratories and military installations in New Mexico, many local businesses are part of the defense supply chain and subject to these requirements even if they do not consider themselves traditional defense contractors.