from the capitol today is that malware (malicious software, or a
"hack") was found on the computer servers at the Montana Department of
Health and Human Services (DPHHS).
That's the bad news.
good news is that it seems that no personal information was taken, and
more good news is that the state has systems in place to notify people
when there's a possibility of identity theft.
I'm proud to say that those security systems and notification systems are in place from a bill that I passed in 2009!
Bill 155 was an anti-identity theft bill, a security bill. It requires
state agencies to develop policies for the protection of social security
numbers and personal information.
bill extends identity theft mitigation requirements, defines agency
director security responsibilities, and defines how notification must be
made if there is a security breach.
Montana law, there is a ‘duty to protect’, and that includes
“protecting individual privacy and the privacy of information contained
within information technology systems.” (MCA 2-17-505(1))
This bill extends private sector requirements to state government.
put the requirement of security and notification in perspective, I’ll
remind you of a computer security breach at D A Davidson in 2008, when
customer information was stolen from a computer database by a hacker.
The personal information of tens of thousands of clients was stolen, and
the company and its customers worried that the social security numbers
and personal information could be used in identity theft.
as bad as it was that a private computer system was accessed and the
information stolen, the company realized that there had been a security
breach and notified all of its clients so that they could take action to
protect themselves if someone did try to use their personal information
Bill 155 requires state government to develop processes to secure
personal information and to notify people if ever that information is
compromised or stolen.
bill includes third parties doing work for a state agency, including
colleges, hospitals, universities, boards and commissions, and
departments of state agencies.
think of how much personal information is held in any of these
entities, and it’s easy to realize that it’s imperative to protect that
notification requirement in the event of a security breach says that
people must be notified in a timely fashion and that a third party
working on behalf of a state entity must notify the state agency and the
bill passed the House and Senate unanimously, and was signed into law
by Governor Schweitzer. Now, when unfortunate security breaches occur, the State
of Montana does everything to secure personal information and to fix the
breach, and to prevent it from happening again.
The story from the Associated Press reads,
State to send safety notice
Hackers may have breached health server
By Lisa Baumann
Montana officials said Tuesday they are notifying 1.3 million people
that their personal information could have been accessed by hackers who
broke into a state health department computer server.
letters are going to people whose information and records were on the
server. There’s no evidence so far that any information was stolen,
officials said Tuesday.
is no information, no indication, that the hackers really accessed any
of this information or used it inappropriately,” said Richard Opper,
director of the state Department of Public Health and Human Services.
“We are erring on the side of displaying an overabundance of caution.”
state is offering free credit monitoring and identity-fraud insurance
for a year to all 1.3 million people. A tollfree help line has fielded
about 170 calls since the incident was announced a few weeks ago. None
of those callers have reported identity theft or compromised bank
accounts as a result of the hacking, Opper said.
about 1 million people live in Montana. The notifications are going to
residents, people who no longer live in Montana, and the estates of
those who have died.
discovered on the health agency’s server May 22 after information
technology employees noted suspicious activity on it earlier in the
month, Montana Chief Information Officer Ron Baldwin said. The server
contained names, addresses, birthdates, Social Security numbers and
medical records related to health assessments, diagnoses, treatment,
prescriptions and insurance.
3,100 department employees and contractors are also being notified
because the server contained their bank account information. About 50
years of birth and death certificate information was also on the server,
Security has since been updated, officials said.
type of unauthorized access is not unique to Montana,” Baldwin said.
“This is sort of the nature of the world we live in today.”
There are 17,000 unauthorized
attempts to enter the state computer system every hour on average, or
about six billion attempts per year. With that volume, it’s difficult to
ensure the state’s computer security is a step ahead of the hackers’
technology, Opper said.
The state is constantly vigilant and continually adapting monitoring and protection techniques, Baldwin said.
Officials expect cyber-security insurance coverage purchased last year by the state to cover most of the costs associated with the incident.
“We’re just really grateful that apparently the citizens haven’t been harmed,” Opper said.