14 DAY TRIAL // Hackers accessed a server of the Department of Public Health and Human Services (DPHHS) in Montana, U.S., and reached sensitive information of 1.3 million individuals.
The details that were accessed without authorization include names, addresses, dates of birth, and Social Security numbers. Information about clients may be related to health assessments, diagnoses, treatment, health condition, prescriptions, and insurance.
Also, it seems that details about the DPHHS services that clients applied for or received were present on the affected machine, too.
The breach was discovered on May 22, a week after the public health department ordered a forensic investigation because signs of suspicious activity had been detected.
In the case of contractors and current and former employees, it is possible that the data on the server included names, addresses, dates of birth, Social Security numbers, bank account information and dates of service.
The immediate response of the DPHHS officials was to shut down the server and contact the law enforcement.
At the moment, there is no clear information on the exact records that have been accessed as a result of the incident, and the DPHHS Director, Richard Opper, says that "out of an abundance of caution, we are notifying those whose personal information could have been on the server."
According to a news release, the activity of the DPHHS services has not been affected in any way thanks to the backup systems that have created a safe copy of the data.
State of Montana officials say that all parties that could be affected will be notified about the breach and they will be offered free credit monitoring and identity protection insurance.
They are to receive an official letter explaining the nature of the incident and the instructions for contacting the recommended services if fraudulent credit activities are detected.
"I encourage Montanans who are notified to sign up for the free credit monitoring and insurance that is being provided," Opper said.
State of Montana Chief Information Officer Ron Baldwin says that the state changed the property insurance last year, so now it covers cyber security incidents of this nature. The policy covers the costs for toll-free Help Line, mailing notification letters, free credit monitoring and other services up to $2 million/1,465 million EUR.
In the wake of the incident, the security of the DPHHS server system has been upgraded for better protection of the sensitive details.
A similar incident affected NRAD systems, the culprit being identified as a company employee, who accessed without authorization the files of 97,000 patients, containing personally identifying information, including social security numbers.