The state of Missouri mailed letters last week to 10,400 individuals informing them their personal information was breached almost two months earlier.

The Department of Health and Senior Services (DHSS) issued a generic news release Friday noting the breach occurred sometime before September 30th, 2016.  But the agency also says the state discovered the situation on August 30th of this year, two years later, and took action to secure the information.

The type of personal information breached includes names, dates of birth, identification numbers issued by some State agencies and a limited number of social security numbers.  The Department claims an information technology contractor for the state improperly retained the information and then allowed it to be stored in an electronic file that was not password protected.

It says it has no reason to believe that the information was viewed or used by anyone intending harm but is recommending individuals remain vigilant by reviewing account statements and monitoring free credit reports for unusual activity.

The Department says the type and amount of personal information breached by the contractor varied by person and not all information from every person was compromised.

Missouri Department of Health and Senior Services (DHSS) Director Dr. Randall Williams issued a statement confirming the breach and outlining actions the agency has taken.

“We have concerns that prior to September 30, 2016, a past contracted vendor may have acted illegally by retaining some names, dates of birth, identification numbers issued by some State agencies and a very limited number of social security numbers,” said Williams.  “The State learned of this incident on the Thursday before Labor Day.  We immediately worked with other State agencies over the Labor Day holiday to prevent any dissemination of this data now or in the future.  Present leadership takes very seriously our requirement to protect information, and we have referred our findings to the appropriate law enforcement authority.”

The Missouri Office of Administration says its referred the issue to the Attorney General’s Office for potential legal action against the former system development and support contractor that improperly retained data in 2016. In a statement, the agency said it wanted to be clear the breach was not due to a problem with the State of Missouri IT system.

The agency did not respond to a question from Missouriunet asking why it took two years for the state to find out about the breach, and why the state waited to go public with its August 30th discovery for nearly two months.

Anyone receiving a letter from DHSS who has additional questions can call the department at 888-252-8045, Monday through Friday, 8 a.m. to 5 p.m.

(Correction: An earlier version of this story stated that the breach occurred prior to September 30, without stipulating the breach occurred that it was September 30, 2016