Lisa Baumann of AP reports:
Montana officials are notifying 1.3 million people that their personal information could have been accessed by hackers who broke into a state health department computer server.
[…]
Montana Chief Information Officer Ron Baldwin says malware was discovered on the health agency’s server May 22. The server contained names, addresses, birthdates, Social Security numbers, medical records and birth and death certificate information.
Read more on Missoulian.
An FAQ on the incident was posted to the Montana Department of Public Health and Human Services website on May 29. I’m emphasizing some of the key points in boldface below:
Common Questions
Regrettably, a DPHHS server was hacked. We apologize that this happened and want to provide you with more information and the steps we are taking to protect our clients and staff who had information on the affected server.
What happened? On May 22, 2014, outside forensic experts confirmed that hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though there is no evidence that information on the server was used inappropriately or even accessed. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate. Based on our investigation, we believe the hackers first gained entry in July of 2013. The information on the server may have included names, addresses, dates of birth, Social Security numbers and limited clinical information. This incident should not impact MT DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.
When did it happen? On May 22, 2014 outside forensic experts confirmed that a DPHHS server had been hacked. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate.
How did this happen? Unknown computer hackers used malware to gain entry to a DPHHS server containing client and agency employee personal information.
Have those affected clients been notified? At this time, DPHHS is in the process of notifying all those people with information on the server.
What type of security is in place on the server? We are continuously working to improve security of our computer networks and are committed to protecting client information. We deeply regret any inconvenience to you as a result of this incident. To help prevent something like this from happening in the future, we have taken the affected server offline and a new server containing backup files is being scanned and safely brought online. DPHHS has purchased additional security software to better protect sensitive information on existing servers, and as part of an internal investigation, DPHHS is reviewing existing policies and procedures to determine how to prevent this from happening again in the future.
Will this affect the services I receive? This incident should not impact DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.
Page last updated: 05/29/2014
DPHHS is offering those notified a year of credit monitoring with Experian ProtectMyID.
Update: Montana’s notification to the New Hampshire Attorney General’s office can be found here (pdf). The notification indicates that what the state described as “limited clinical information” in their FAQ, above, was not so limited, and included diagnoses, health condition, treatment, prescriptions, and insurance information. This is not to say that anything was accessed or acquired, but just that there was more PHI on the server than their public notice might suggest.