Highlight on Montana: Hackers Tapped into 1.3 Million Patients’ Records Last Year

On Tuesday, June 24, 2014, the Montana state officials announced that they are notifying 1.3 million people that their personal information may have been accessed in a security breach that occurred in last July. The Montana state government believes that the state’s health department computer server was hacked and, as a result, the personal information of some 1.3 million individuals was exposed. The breach was not discovered until May of this year, ten months after it occurred. While officials have reported that there is no evidence that the data was actually stolen or used in any way, Montana is now taking steps to identify any resulting fraud and prevent future security breaches.

Montana Breach

According to local reports, the hackers, who are of unknown origin, may have had access to Social Security numbers as well as other personal information contained in patients’ health records. Montana also identified and notified an additional 3,100 department employees and contractors because it is believed that the exposed information may have contained their bank account information. Officials also noted that 50 years of birth and death certificate information was contained on the hacked server. While Montana only has approximately one million residents, the state government notified current and former residents as well as the estates of deceased residents.

It has been estimated that up to 17,000 unauthorized attempts to enter the state’s data center occur each hour, and a total of six billion attempts to hack the system are acknowledged each year. Richard Opper, the director of Montana’s Department of Public Health and Human Services, stated,“There is no information, no indication, that the hackers really accessed any of this information or used it inappropriately,” but the state decided to take steps to notify the public of this breach and to rectify any resulting fraud, “erring on the side of displaying an overabundance of caution.”

After the announcement of the breach, the state offered those potentially affected free credit monitoring and free identity protection insurance. Those services could cost as much as $2 million and will be covered by the state’s cyber and data security insurance policy. Additionally, the Montana system has undergone security upgrades since the breach was identified.

Other Hacks

Montana’s Chief Information Officer, Ron Baldwin, stated, “This type of unauthorized access is not unique to Montana,” and such a security breach is an aspect of “the nature of the world we live in today.” Indeed, sources noted that in 2012 health information data contained on a Utah state health server was compromised in this same way and, in turn, the private information of 780,000 patients was released. The national data on this topic is even more telling. A survey conducted by the Identify Theft Resource Center indicated that in 2013 in the U.S., medical-related identity thefts accounted for 43 percent of all identity thefts. Moreover, a Kaiser Health News report cited HHS data that since 2009, “the medical records of between 27.8 and 67.7 million people have been breached.” The Kaiser report, which was released in February of this year, found that the implementation of the Patient Protection and Affordable Care Act (ACA) “has raised the stakes,” in terms of potentially exposing Americans’ confidential health records and the information contained therein. While the report referenced the two laws that have put certain provisions in place to prevent such security breaches, namely the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology Act of 2009 (HITECH), it also implied that these laws did not go far enough to truly prevent the exposure of private information in the emerging health care system.