HELENA — Hackers broke into a Montana health department computer server through software in need of a security upgrade after a Chinese-language website last year identified the department’s server as vulnerable, state officials said Friday.
Malware, which is software that can steal information, damage a computer system or bring it down, was discovered on the Department of Health and Human Services server on May 22 after an analysis by the forensic investigation firm Kroll, Montana Chief Information Officer Ron Baldwin said.
The malware was installed on or after July, which is when the health department’s computer server was first hacked and a website listed the health department computer server as vulnerable to attack, Baldwin said.
The website, Wooyun.org, was discovered in the forensic investigation. The website describes itself as a platform for security researchers to report vulnerabilities.
“It’s like a blog that hackers use to inform each other and brag to each other about what they know. It’s exposing the information because they can,” Baldwin said.
The health department’s server contained personal information and health records for a still-unknown number of people the department serves, along with the bank account information for the department’s 3,100 employees.
There is no evidence from the forensic investigation that the information was stolen or used, and there has been no known spike in identity thefts or bank accounts accessed, said Richard Opper, director of the state Department of Public Health and Human Services.
However, the agency doesn’t definitively know whether the information was accessed, so officials will offer free credit monitoring and identity-fraud insurance as a protective measure.
“We still have to react with this overabundance of caution even though the signs are good and we don’t think that happened,” Opper said.
There are 17,000 unauthorized attempts to enter the state computer system every hour on average, and it is difficult to ensure the state’s computer security is a step ahead of the hackers’ technology, Opper said.
The hackers used third-party software that needed a security patch to break into the server and plant the malware. The patch to protect that vulnerability was not available until a few weeks ago, but by then it was too late, Baldwin said.
Information technology employees on May 15 noted suspicious activity on the server, which contains Medicaid billing data, birth certificates, immunization records and a slew of other personal information from department programs and services that patients, health-care providers and employees can access online.
Health department officials shut down the server and sent copies of the files the next week to Kroll, which found the malware. Opper and Baldwin declined to identify both the vulnerable third-party software and the type of malware installed, citing security concerns.
They also said the forensic investigation could not pinpoint exactly when the malware had been installed.
Two additional health department computer servers contained the same software vulnerability, but no malware was found on them. No other servers on the state system are known to be in need of the security patch, Baldwin said.