HELENA — State officials Tuesday said they’re notifying 1.3 million people whose personal data were in a state Department of Public Health and Human Service computer hacked by unknown assailants a year ago.
Richard Opper, director of the agency, said there’s no evidence any personal data were stolen or accessed — but the state is offering free, year-long credit monitoring and insurance to those receiving the notification.
“I encourage Montanans who are notified to sign up for the free credit-monitoring and insurance that is being provided,” Opper said.
The state also has set up a toll-free help line for anyone who has questions about the computer breach and how it may affect them. The number is 800-809-2956.
The state started sending notification letters Monday and will stagger them over the next week or so, Opper said.
Agency officials discovered the potential hacking in mid-May, after noticing “suspicious activity” on one of the department’s computers in Helena that stores millions of records, state officials said.
Ron Baldwin, the state’s chief information officer, said they noticed what appeared to be unauthorized Internet access to the DPHHS computer and that a private security contractor later confirmed the breach. Further investigation indicated that hackers had gained access to the computer last July.
However, state officials said they don’t believe the hackers extracted any information.
The computer holds information on people using public programs that serve thousands of Montanans, including for food stamps, welfare payments, Medicaid, home heating aid and child care assistance, as well as birth and death records and some state employee records.
The records may include names, addresses, birth dates, Social Security numbers, bank account numbers, health diagnoses and drug prescriptions. None of the information was lost, however, and the state had backed up the data elsewhere, state officials said.
The majority of the mailings are related to birth and death records, which go back to 1997 and include people who live outside the state, officials said.
Opper said the state has insurance that will cover up to $2 million in costs associated with the computer breach, but couldn’t say yet what the total cost will be.
“We’ve done everything we can to make sure we err on the side of providing services,” he said. “We’ll worry about the costs later. The security of citizens who had information on the server is our first concern — really, our only concern, at this point.”
The cost will depend on how many people choose to sign up for insurance and credit-monitoring and how long the state will have to maintain the toll-free help line, Opper said.
The state announced the breach May 29, about a week after investigators confirmed it. Baldwin said then it was the first time anyone had used the Internet to gain unauthorized access to a state computer.
Baldwin said Tuesday the state doesn’t know and may never know what the hackers did once they gained access to the computer, but that it appears no information was accessed or taken.
“We do know there are networks of hackers who go about trying to gain unauthorized access to servers and (publicize) that they’ve gained access,” he said. “It can literally be that simple.”
Opper said the investigation last month determined the server had been listed on a now-defunct website last July as one that was potentially vulnerable, indicating it had been hacked a year ago. However, that access wasn’t detected until May, indicating that the hackers may not have been using the server in any other way, he said.