The Montana Department of Public Health and Human Services (DPHHS) has reported more details on one of the largest HIPAA breaches in terms of number of affected patients, as up to 1.3 million records were compromised.
hack was first reported in early June when DPHHS hired an investigator and determined on May 22 2014 that the server was likely accessed as far back in July 2013. Now, according to the Montana Office of Public Instruction
press release, as many as 1.3 million patients were affected and it’s still unclear at this time whether the hackers used patient data maliciously or even accessed it while on the server. DPHHS said the server held patient demographic information, including names, addresses, dates of birth, and Social Security numbers. Additionally, some records may have contained information regarding DPHHS services clients applied for and/or received, such as health assessments, diagnoses, treatment, health condition, prescriptions, and insurance.
“Out of an abundance of caution, we are notifying those whose personal information could have been on the server,” said DPHHS Director Richard Opper. “Again, we have no reports, nor do we have any evidence that anyone’s information was used in any way, or even accessed.”
As for IT security improvements, DPHHS said that it’s already working on avoiding a repeat incident in the future.
The state has taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information.
Additionally, Reuters reported
that Opper said there are generally about 17,000 attempts to hack into Montana’s computer system per hour, but this was the first time that hackers were able to attack DPHHS successfully at this volume. DPHHS has about $2 million to spend on a toll-free help line, mailing notification letters, free credit monitoring and other services, according to the release.