(Reuters) - A data security breach of Montana’s state health records has compromised the Social Security numbers and other personal information of some 1.3 million people, but the full extent of damage from the intrusion is unclear, state officials said on Tuesday.
Hackers of unknown origin gained access in May to a computer server tied to the Montana Department of Public Health and Human Services, exposing sensitive or confidential information of current and former medical patients, health agency employees and contractors.
Individuals whose personal information was exposed are being offered free credit monitoring, though investigators do not know whether the breach resulted in any actual identity theft, department Director Richard Opper said.
“We have absolutely no indication the criminals who illegally entered the server had any interest in the data they accessed in any way, shape or form, and we have no reports of people’s identities being stolen,” Opper told Reuters.
In addition to containing the Social Security numbers, birth dates and names of patients, such data as bank account numbers, medical diagnoses, treatments, dates of service and prescriptions may have been stored on the network, he said.
Montana is the latest target in a string of high-profile hacking incidents that have seen personal and financial information compromised amid cyber attacks on public agencies and commercial companies such as retail giant Target Corp.
Hackers in 2012 breached state health records in Utah, compromising the private information of some 780,000 patients in an attack that was believed to have originated in Eastern Europe.
Attempts to hack into Montana’s computer system number roughly 17,000 an hour, but the breach at the state health department marks the first time cyber criminals successfully infiltrated a state agency on such a large scale, Opper said.
Security upgrades have been put into place since the hacking came to light on May 15, when a company that monitors the agency’s network reported suspicious activity. Health officials shut down the server, and a forensic investigation later confirmed the network had been subjected to an unauthorized entry, Opper said.
In addition to credit monitoring, those whose information may have been compromised are being offered free identity protection insurance, Opper said. Up to $2 million in costs for such services are covered by a state insurance policy tied to cyber and data security.
Reporting by Laura Zuckerman from Salmon, Idaho; Editing by Steve Gorman and Eric Beech