Montana Breach Victim Tally: 1.3 MillionHackers Gained Access to Health Department Server
Montana state officials have now confirmed that 1.3 million people will be notified following a previously reported breach at the state's Department of Public Health and Human Services (see: Hackers Access Health Department Server).
See Also: IoT is Happening Now: Are You Prepared?
Hackers gained access to a public health department server, although there's no evidence that information on the server was used inappropriately, or was even viewed, officials say.
On May 22, an independent forensic investigation confirmed the hacking incident. The forensic investigation was ordered on May 15 when suspicious activity was first detected by state officials. Department officials say they immediately shut down the server and contacted law enforcement.
Potentially compromised information for health department clients includes names, addresses, dates of birth and Social Security numbers. The server may also have included information regarding health services clients applied for and/or received. Client information may include information related to health assessments, diagnoses, treatment, health condition, prescriptions and insurance.
In addition, department contractors and current and former employees are being notified because the information on the server may have included their names, addresses, dates of birth, Social Security numbers, bank account information and dates of service, officials say.
Affected individuals are being offered free credit monitoring services for one year, state officials say.
"Out of abundance of caution, we are notifying those whose personal information could have been on the server," DPHHS Director Richard Opper says. "Again, we have no reports, nor do we have any evidence that anyone's information was used in any way, or even accessed."
Following the data breach, the state has taken several steps, including adding additional security software to better protect sensitive information on servers and continually reviewing its security practices to ensure all appropriate measures are being taken to protect personal information.
Officials also acknowledge that the state upgraded its property insurance policy in 2013 to include cyber/data security coverage for incidents such as the one being reported. The policy provides coverage of up to $2 million to cover costs associated with the toll-free help line, mailing notification letters, free credit monitoring and other services. "State officials expect the majority of costs associated with this incident to be covered by insurance," department officials says.
The state did not immediately respond to a request for additional information.
The incident underscores the importance of active security monitoring and regular security assessments, says Dan Berger, CEO of Redspin, a data security services firm. "Without sophisticated security monitoring in place, it can be very difficult to detect an attack."
Also, it may be too early to suggest that no harm has been done or that the hackers did not view the data, Berger says. "It looks like DPHHS is relying mostly on the fact that there have been no reports of identity theft or personal information compromise," he says. "But people whose data may have been stolen are only now learning of that."