Montana officials said Tuesday they are notifying 1.3 million people that their personal information could have been accessed by hackers who broke into a state health department computer server.
The letters are going to people whose information and records were on the server. There’s no evidence so far that any information was stolen, officials said Tuesday.
“There is no information, no indication, that the hackers really accessed any of this information or used it inappropriately,” said Richard Opper, director of the state Department of Public Health and Human Services. “We are erring on the side of displaying an overabundance of caution.”
The state is offering free credit monitoring and identity-fraud insurance for a year to all 1.3 million people. A toll-free help line has fielded about 170 calls since the incident was announced a few weeks ago. None of those callers have reported identity theft or compromised bank accounts as a result of the hacking, Opper said.
Only about 1 million people live in Montana. The notifications are going to residents, people who no longer live in Montana and the estates of those who have died.
Malware was discovered on the health agency’s server on May 22, after information-technology employees noted suspicious activity on it earlier in the month, Montana Chief Information Officer Ron Baldwin said. The server contained names, addresses, birthdates, Social Security numbers and medical records related to health assessments, diagnoses, treatment, prescriptions and insurance.
About 3,100 department employees and contractors are also being notified, because the server contained their bank-account information. About 50 years of birth- and death-certificate information was also on the server, officials said.
Security has since been updated, officials said.
“This type of unauthorized access is not unique to Montana,” Baldwin said. “This is sort of the nature of the world we live in today.”
There are 17,000 unauthorized attempts to enter the state computer system every hour, on average, or about six billion attempts per year. With that volume, it’s difficult to ensure the state’s computer security is a step ahead of the hackers’ technology, Opper said.
The state is constantly vigilant and continually adapting monitoring and protection techniques, Baldwin said.
Officials expect cybersecurity insurance coverage purchased last year by the state to cover most of the costs associated with the incident.
“We’re just really grateful that apparently the citizens haven’t been harmed,” Opper said.