DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Montana Department of Public Health and Human Services notifying 1.3 million after malware inserted in 2013 found on system – Update

Posted on June 24, 2014 by Dissent

Lisa Baumann of AP reports:

Montana officials are notifying 1.3 million people that their personal information could have been accessed by hackers who broke into a state health department computer server.

[…]

Montana Chief Information Officer Ron Baldwin says malware was discovered on the health agency’s server May 22. The server contained names, addresses, birthdates, Social Security numbers, medical records and birth and death certificate information.

Read more on Missoulian.

An FAQ on the incident was posted to the Montana Department of Public Health and Human Services website on May 29. I’m emphasizing some of the key points in boldface below:

Common Questions

Regrettably, a DPHHS server was hacked. We apologize that this happened and want to provide you with more information and the steps we are taking to protect our clients and staff who had information on the affected server.

  • What happened? On May 22, 2014, outside forensic experts confirmed that hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though there is no evidence that information on the server was used inappropriately or even accessed. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate.  Based on our investigation, we believe the hackers first gained entry in July of 2013.  The information on the server may have included names, addresses, dates of birth, Social Security numbers and limited clinical information. This incident should not impact MT DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.

  • When did it happen? On May 22, 2014 outside forensic experts confirmed that a DPHHS server had been hacked. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate.

  • How did this happen? Unknown computer hackers used malware to gain entry to a DPHHS server containing client and agency employee personal information.

  • Have those affected clients been notified?  At this time, DPHHS is in the process of notifying all those people with information on the server.

  • What type of security is in place on the server? We are continuously working to improve security of our computer networks and are committed to protecting client information. We deeply regret any inconvenience to you as a result of this incident. To help prevent something like this from happening in the future, we have taken the affected server offline and a new server containing backup files is being scanned and safely brought online. DPHHS has purchased additional security software to better protect sensitive information on existing servers, and as part of an internal investigation, DPHHS is reviewing existing policies and procedures to determine how to prevent this from happening again in the future.

  • Will this affect the services I receive? This incident should not impact DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.

Page last updated: 05/29/2014

DPHHS is offering those notified a year of credit monitoring with Experian ProtectMyID.

Update: Montana’s notification to the New Hampshire Attorney General’s office can be found here (pdf). The notification indicates that what the state described as “limited clinical information” in their FAQ, above, was not so limited, and included diagnoses, health condition, treatment, prescriptions, and insurance information. This is not to say that anything was accessed or acquired, but just that there was more PHI on the server than their public notice might suggest.

Category: Uncategorized

Post navigation

← Just in Time Research: Data Breaches in Higher Education
MA: Uxbridge student data was on stolen Medicaid billing laptop →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.