A computer in Montana’s Department of Public Health that stored large databases of employee and client personal information was accessed by unknown hacker (or hackers) through the Internet. The unauthorized intrusion was discovered earlier this month and the computer was immediately taken offline. A private security contractor was hired after “suspicious activity” was noticed on the server and confirmed the breach. The server was one of three that stored personal and health information on clients using programs, like Food Stamps.
According to state officials, there is not any evidence that the data was stolen. However, it appears data was placed inside the system once it was accessed, according to this article from the Montana Standard.
The exact number of victims has not been disclosed, although the state has established a call center for potential victims and will offer a year’s worth of free credit-monitoring and insurance against identify theft to any victim.
Recently, another public health department, in Skagit County, Washington, agreed to a $215,000 settlement for potential violations of the HIPAA regulations [View our post about the Skagit County settlement]. In that case, an OCR investigation following a breach report revealed “general and widespread non-compliance” with the HIPAA Privacy, Security and Breach Notification Rules. We know little about the HIPAA compliance of Montana’s Public Health Department, but one lesson for other government agencies is that a breach could occur at any time, which could result in an OCR investigation. It is better to begin compliance efforts well before a breach occurs.
