State of Montana officials said today that 1.3 million people will be notified regarding the incident where hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though officials said there is no knowledge that information on the server was used inappropriately, or was even accessed.
The state is notifying individuals whose personal information was on the server, consistent with state and federal laws. The notification list includes both current and former Montana residents, and in some instances, the estates of deceased individuals.
Officials announced that the state is also notifying individuals of free credit monitoring and identity protection insurance.
“Out of an abundance of caution, we are notifying those whose personal information could have been on the server,” said DPHHS Director Richard Opper. “Again, we have no reports, nor do we have any evidence that anyone’s information was used in any way, or even accessed.”
On May 22nd , an independent forensic investigation determined a DPHHS computer server had been hacked. The forensic investigation was ordered on May 15th when suspicious activity was first detected by DPHHS officials. When the suspicious activity was discovered, agency officials immediately shut down the server and contacted law enforcement.
In recent weeks, DPHHS staff has been thoroughly reviewing all files on the server to determine those individuals to be notified.
DPHHS clients are being notified because information on the server included demographic information such as names, addresses, dates of birth, and Social Security numbers. The server may also have included information regarding DPHHS services clients applied for and/or received. Client information may include information related to health assessments, diagnoses, treatment, health condition, prescriptions, and insurance. The information held on the server for each client is different. This incident should not impact DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information.
DPHHS contractors and current and former employees are being notified because the information on the server may have included their names, addresses, dates of birth, Social Security numbers, bank account information and dates of service. Again, the information held on the server for each of these individuals is also different.
The number of individuals being notified represents the number and breadth of programs DPHHS administers, plus the length of time the agency is required by state and federal law to maintain its records. For example, Vital Statistics, which maintains the birth and death records for the state, is part of DPHHS. Those records were on the server.
Also, the state is offering free credit monitoring and insurance to eligible individuals who receive a letter. The letters include detailed instructions about how to sign up for this recommended service, including their own personal activation code. “I encourage Montanans who are notified to sign up for the free credit monitoring and insurance that is being provided,” Opper said.
Opper stressed that due to privacy laws, DPHHS is not allowed to enroll individuals directly.
Anyone with questions is encouraged to call the toll-free Help Line, which is available Monday to Friday from 7 a.m. to 7 p.m. (MDT) at 800-809-2956. Additional information is also available at http://www.dphhs.mt.gov
According to State of Montana Chief Information Officer Ron Baldwin, the state upgraded its property insurance policy in 2013 to include cyber/data security coverage for incidents such as this one. The policy provides coverage of up to $2 million to cover costs associated with the toll-free Help Line, mailing notification letters, free credit monitoring and other services. State officials expect the majority of costs associated with this incident to be covered by insurance.
The state has taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information.
Reader Comments(0)