In one of the largest HIPAA breaches ever reported, the Montana Department of Public Health and Human Services is notifying some 1.3 million people after hackers gained unfettered access to an agency server for nearly a year before being discovered. 

 

Hackers likely first gained accessed to the server as far back as July 2013, according to DPHHS officials, but the breach was only discovered on May 15, 2014. An independently-conducted investigation confirmed May 22 the server had been accessed by outsiders. 

 

[See also: Hackers swipe health data of 405K.]

 

Data compromised included client, employee and contractors' names, addresses, dates of birth, Social Security numbers, clinical and medical data and dates of service. DPHHS employee bank account and payroll information was also held on the server, officials say. 

 

The server has since been shut down and replaced with a new one. 

 

[See also: Hacker calls health security 'Wild West'.]

 

This is the fifth biggest HIPAA breach ever reported, according to data from the Department of Health and Human Services, and the largest hacking-related HIPAA breach to date. 

 

"We apologize for the stress this announcement is going to cause," said Richard H. Opper, director of the DPHHS, in a prepared statement. "DPHHS is committed to answering questions clients and employees may have and to help them to take advantage of the services we are offering." DPHHS will be providing affected clients with credit monitoring services. 

 

Just this February, hackers also targeted and gained access to a server of the five-hospital St. Joseph Health System in Bryan, Texas, compromising the protected health information of some 405,000 individuals. The hackers had access to the server for three days before being discovered. 

 

[See also: Hacker group strikes Boston Children's.]