DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Montana Department of Public Health and Human Services notifying 1.3 million after malware inserted in 2013 found on system – Update

Posted on June 24, 2014 by Dissent

Lisa Baumann of AP reports:

Montana officials are notifying 1.3 million people that their personal information could have been accessed by hackers who broke into a state health department computer server.

[…]

Montana Chief Information Officer Ron Baldwin says malware was discovered on the health agency’s server May 22. The server contained names, addresses, birthdates, Social Security numbers, medical records and birth and death certificate information.

Read more on Missoulian.

An FAQ on the incident was posted to the Montana Department of Public Health and Human Services website on May 29. I’m emphasizing some of the key points in boldface below:

Common Questions

Regrettably, a DPHHS server was hacked. We apologize that this happened and want to provide you with more information and the steps we are taking to protect our clients and staff who had information on the affected server.

  • What happened? On May 22, 2014, outside forensic experts confirmed that hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though there is no evidence that information on the server was used inappropriately or even accessed. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate.  Based on our investigation, we believe the hackers first gained entry in July of 2013.  The information on the server may have included names, addresses, dates of birth, Social Security numbers and limited clinical information. This incident should not impact MT DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.

  • When did it happen? On May 22, 2014 outside forensic experts confirmed that a DPHHS server had been hacked. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate.

  • How did this happen? Unknown computer hackers used malware to gain entry to a DPHHS server containing client and agency employee personal information.

  • Have those affected clients been notified?  At this time, DPHHS is in the process of notifying all those people with information on the server.

  • What type of security is in place on the server? We are continuously working to improve security of our computer networks and are committed to protecting client information. We deeply regret any inconvenience to you as a result of this incident. To help prevent something like this from happening in the future, we have taken the affected server offline and a new server containing backup files is being scanned and safely brought online. DPHHS has purchased additional security software to better protect sensitive information on existing servers, and as part of an internal investigation, DPHHS is reviewing existing policies and procedures to determine how to prevent this from happening again in the future.

  • Will this affect the services I receive? This incident should not impact DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.

Page last updated: 05/29/2014

DPHHS is offering those notified a year of credit monitoring with Experian ProtectMyID.

Update: Montana’s notification to the New Hampshire Attorney General’s office can be found here (pdf). The notification indicates that what the state described as “limited clinical information” in their FAQ, above, was not so limited, and included diagnoses, health condition, treatment, prescriptions, and insurance information. This is not to say that anything was accessed or acquired, but just that there was more PHI on the server than their public notice might suggest.

Category: Uncategorized

Post navigation

← Just in Time Research: Data Breaches in Higher Education
MA: Uxbridge student data was on stolen Medicaid billing laptop →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.