HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought.

On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. Two days later, the number of breach victims was revised to 87,000 individuals.

The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices.

Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other suspicious computer behavior was discovered that strongly indicated and malware infection. ADHSS was able to identify the virus and remove it, although the malware gave the attackers had access to the laptop between April 26 and April 30, 2018.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The malware was determined to have been inadvertently installed by an employee as a result of opening an email attachment. According to Shawnda O’Brien, director of the state’s Division of Public Assistance, the email appeared to be legitimate and sent from an applicant requesting assistance.

O’Brien explained that by the time the Trojan was identified and removed, it had got through several layers of security and the attackers gained full access to the laptop’s hard drive. The malware was not initially detected by anti-virus software as it was a day one attack – Conducted before the AV software had been updated with the Trojan’s signature.

The attack was investigated by ADHSS and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on June 28, 2018, although the investigation into the breach continued.

Due to the volume of data involved, assistance was sought from the FBI. The FBI’s analysis was extensive and took several months to complete. ADHSS has only recently received a list of the individuals whose PHI was stored on the laptop. The FBI investigation is continuing.

The laptop contained documents that included first and last names, dates of birth, phone numbers, Medicaid/Medicare billing codes, criminal justice information, health billing information, Social Security numbers, driver’s license numbers, pregnancy status, incarceration status, and other confidential information.

O’Brian said to KTVA, “We don’t have any reason to believe their information was compromised, but because their information could have been compromised, we had to let them know.”

While the virus made contact with sites in Russia, it could not be established whether the hackers were based in Russia or who was behind the attack.

Malicious emails can be highly convincing and can easily fool employees; however, this is not the only malware attack to have been experienced by AHDSS. Malware was discovered on two desktop computers in 2017. The breach was also reported to have affected 501 individuals. In 2009, a laptop computer was stolen that contained ePHI. That breach was also reported to have affected 501 individuals.

The 2009 breach was investigated by OCR which uncovered multiple HIPAA violation. The case was settled in 2012 and a financial penalty of $1.7 million was paid to OCR. The HIPAA violations included the failure to conduct a comprehensive risk analysis to identify vulnerabilities that could be exploited to gain access to PHI, insufficient device and media controls, and a lack of staff training on data security.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.