The US state of Montana is notifying 1.3 million people of a data breach at the state health department in July 2013 that went undetected until May 2014.
On 22 May, an independent forensic investigation determined that the server had been hacked. The forensic investigation was ordered on 15 May when suspicious activity was first detected.
State officials said in a statement that, when the suspicious activity was discovered, agency officials shut down the server and contacted law enforcement.
The compromised server has been removed from the network and replaced with a new server containing scanned backup files, the statement said.
State officials said the health department had installed additional security software to better protect sensitive information on existing servers. They said the department was reviewing existing policies and procedures to prevent similar breaches in the future.
Read more about data breaches
- Spotify warns of data breach
- Target CEO quits after data breach
- European retail data breaches largely hidden, SC Congress told
- UK shoe retailer Office hit by data breach
- eBay under fire over handling of data breach
- Sears confirms data breach investigation amid retailer data breaches
- Orange data breach underlines need for encryption, say experts
- Domino’s breach underlines value of personal data, say experts
- Target data breach: Why UK business needs to pay attention
- Target’s CIO resigns after massive data breach
- ICO fines charity £200,000 for data breach
- Kickstarter notifies users of data breach after four days
- Infosec 2014: UK data breaches slightly down but cost way up, report shows
The statement did not say why it took the health department nearly a year to discover the breach.
Although the population of Montana is only around one million, the state is notifying anyone who may have had personal data exposed, including former residents and families of deceased residents.
Information on the compromised server included names, addresses, birth dates, social security numbers, medical records, and birth and death certificates.
State officials say they do not believe hackers managed to extract any data, but have encouraged possible victims to sign up for a free credit monitoring service and identity fraud insurance.