Up to 1.3 million records, including health care and bank account information, may have been exposed after a server at Montana’s public health department was hacked in May, the state said Tuesday.

The server, which belonged to the Department of Public Health and Human Services, was shut down on May 22, a week after suspicious activity was noticed and an independent forensic investigation began, according to a news release.

The state said it has no knowledge if data on the server was inappropriately used or accessed. The data was backed up.

The server held information such as names, addresses, birth dates and Social Security numbers for services citizens had applied for or received. For some people, the information may have included data on health assessments, diagnoses, treatment, health condition, prescriptions and insurance, the state said.

Birth and death records, part of the state’s Vital Statistics database, were also on the server.

Contractors as well as current and former employees of the department may have been affected. The server contained their names, addresses, birth dates, Social Security numbers along with bank account information and dates of service, the state said.

Those affected are being contacted by the department and will be offered free credit monitoring, according to a statement.

Montana had upgraded its property insurance policy last year to include coverage for data security incidents. The US$2 million policy will cover costs such as setting up a toll-free help line, free credit monitoring and mailing notification letters, the state said.

The policy should cover the “majority” of costs for this incident, it said.

The state said it has since restored the affected systems and added additional security software “to better protect sensitive information on existing servers.”