Cyberattack Responsible for HIPAA Breach at Montana Department of Public Health and Human Services

A cyberattack is being held responsible for a HIPAA breach at Montana Department of Public Health and Human Services (DPHHS).

Montana Department of Public Health and Human Services has been hit by a cyberattack that has resulted in 1.3 million healthcare records being obtained by thieves. This incident is particularly serious due to the data that the hackers could potentially have viewed and copied.

The HIPAA breach at Montana Department of Public Health and Human Services resulted in the exposure of names, telephone numbers and addresses, along with Social Security numbers, examination dates, medical test results and other health information. Some exposed records also included financial information such as employee payroll information and bank account numbers.

The persons responsible for the security breach have not been identified, although early investigations have established that access to the server was first gained in July of last year, with the records accessed for a second time on May 22, 2014. As is frequently the case, hackers are able to breach defenses but it can take many months before their trails are noticed.

Montana DPHHS has confirmed that the data has been relocated to a different server and it is now protected so there is no further chance of hackers accessing the data again; although it is possible that the data has already been copied by the thieves since they have had access for over 12 months. According to a statement issued by the DPHHS, no evidence has been discovered that PHI was actually viewed, accessed or copied by the thieves.

The HIPAA Breach Notification Rule requires Montana DPHHS to issue breach notification letters to all affected individuals by mail to alert them to the possibility that their data has been viewed by unauthorized individuals. They must be informed of the measures that are being taken to mitigate any damage and safeguard the PHI from further attacks, and they should be provided with advice on actions they can take to protect their identities and monitor their accounts for signs of fraudulent activity.

Richard H. Opper, DPHHS Director, said in a statement that, in accordance with HIPAA Rules, a number of actions are being taken to mitigate damage and improve security. All affected individuals will be provided with credit monitoring services and will be given information on how they can secure their credit and protect themselves from medical fraud.

He also said that security has been improved since the HIPAA breach at Montana Department of Public Health and Human Services, although the measures added would remain secret so as not to further compromise security.

This breach may have affected a public organization, but that does not mean that it is exempt from OCR financial penalties. Both private and public organizations can be fined for HIPAA violations by the Office for Civil Rights. If an investigation uncovers evidence that the intrusion resulted from lax security standards and there have been HIPAA violations, the Montana DPHHS could have to pay a substantial penalty.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of