Alaska DHSS Discovers Malware Infection and Possible PHI Breach

A Trojan horse virus has been discovered on two computers used by the Alaska Department of Health and Social Services. The virus potentially allowed malicious actors to gain access to the data stored on the devices.

Katie Marquette, Communications Director of the Alaska DHSS, issued a statement confirming there was “a potential HIPAA breach of more than 500 individuals.” At present, the exact number of individuals affected has not been disclosed.

An analysis of the two malware-infected computers revealed the attackers, who are believed to be located in the Western region, may have been able to obtain sensitive information such as Office of Children’s Services (OCS) documents and reports. Those documents contained details of family case files, medical diagnoses and observations, personal information and other related information.

The investigation into the breach is ongoing and the DHSS Information Technology and Security team is currently attempting to determine the exact nature of the breach and whether any sensitive data were accessed or exfiltrated.

Individuals impacted by the breach will be notified in due course and will be provided with up-to-date information as the investigation progresses. At present, the breach appears to be limited to individuals who had prior contact with the Office of Children’s Services.

Due to the potential for data misuse, those individuals have been advised to protect themselves against identity theft and fraud and should carefully review their accounts, Explanation of Benefits statements, and obtain a credit report from one of the three credit monitoring agencies (Experian, Equifax, TransUnion) and to look for any signs of fraudulent activity.

Kaiser Permanente Alerts Members to Email Incident

Kaiser Permanente is notifying approximately 600 members from the Riverside, CA area about privacy breach that saw some of their protected health information emailed to an incorrect recipient.

The email contained a document that included names, medical record numbers and details of procedures performed. No Social Security numbers, financial information or other sensitive data were disclosed.

The incident occurred on August 9, 2017, with the privacy breach believed to have resulted from an error made by an employee when entering an email address. The owner of the email address to which the information was sent is unknown at this time. Kaiser Permanente believes this was an error and there was no malicious intent, although an investigation is ongoing to rule out the possibility of foul play.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.