News from the capitol today is that malware (malicious software, or a “hack”) was found on the computer servers at the Montana Department of Health and Human Services (DPHHS).
That’s the bad news.
The good news is that it seems that no personal information was taken, and more good news is that the state has systems in place to notify people when there’s a possibility of identity theft.
I’m proud to say that those security systems and notification systems are in place from a bill that I passed in 2009!
House Bill 155 was an anti-identity theft bill, a security bill. It requires state agencies to develop policies for the protection of social security numbers and personal information.
The bill extends identity theft mitigation requirements, defines agency director security responsibilities, and defines how notification must be made if there is a security breach.
In Montana law, there is a duty to protect, and that includes protecting individual privacy and the privacy of information contained within information technology systems. (MCA 2-17-505(1))
This bill extends private sector requirements to state government.
To put the requirement of security and notification in perspective, Ill remind you of a computer security breach at D A Davidson in 2008, when customer information was stolen from a computer database by a hacker. The personal information of tens of thousands of clients was stolen, and the company and its customers worried that the social security numbers and personal information could be used in identity theft.
Now, as bad as it was that a private computer system was accessed and the information stolen, the company realized that there had been a security breach and notified all of its clients so that they could take action to protect themselves if someone did try to use their personal information fraudulently.
House Bill 155 requires state government to develop processes to secure personal information and to notify people if ever that information is compromised or stolen.
The bill includes third parties doing work for a state agency, including colleges, hospitals, universities, boards and commissions, and departments of state agencies.
Just think of how much personal information is held in any of these entities, and its easy to realize that its imperative to protect that information.
The notification requirement in the event of a security breach says that people must be notified in a timely fashion and that a third party working on behalf of a state entity must notify the state agency and the people affected.
The bill passed the House and Senate unanimously, and was signed into law by Governor Schweitzer. Now, when unfortunate security breaches occur, the State of Montana does everything to secure personal information and to fix the breach, and to prevent it from happening again.
The story from the Associated Press reads,
State to send safety notice
Hackers may have breached health server
By Lisa Baumann
Associated Press
HELENA Montana officials said Tuesday they are notifying 1.3 million people that their personal information could have been accessed by hackers who broke into a state health department computer server.
The letters are going to people whose information and records were on the server. Theres no evidence so far that any information was stolen, officials said Tuesday.
There is no information, no indication, that the hackers really accessed any of this information or used it inappropriately, said Richard Opper, director of the state Department of Public Health and Human Services. We are erring on the side of displaying an overabundance of caution.
The state is offering free credit monitoring and identity-fraud insurance for a year to all 1.3 million people. A tollfree help line has fielded about 170 calls since the incident was announced a few weeks ago. None of those callers have reported identity theft or compromised bank accounts as a result of the hacking, Opper said.
Only about 1 million people live in Montana. The notifications are going to residents, people who no longer live in Montana, and the estates of those who have died.
Malware was discovered on the health agencys server May 22 after information technology employees noted suspicious activity on it earlier in the month, Montana Chief Information Officer Ron Baldwin said. The server contained names, addresses, birthdates, Social Security numbers and medical records related to health assessments, diagnoses, treatment, prescriptions and insurance.
About 3,100 department employees and contractors are also being notified because the server contained their bank account information. About 50 years of birth and death certificate information was also on the server, officials said.
Security has since been updated, officials said.
This type of unauthorized access is not unique to Montana, Baldwin said. This is sort of the nature of the world we live in today.
There are 17,000 unauthorized attempts to enter the state computer system every hour on average, or about six billion attempts per year. With that volume, its difficult to ensure the states computer security is a step ahead of the hackers technology, Opper said.
The state is constantly vigilant and continually adapting monitoring and protection techniques, Baldwin said.
Officials expect cyber-security insurance coverage purchased last year by the state to cover most of the costs associated with the incident.
Were just really grateful that apparently the citizens havent been harmed, Opper said.