Share this article on:
The Alaska Department of Health and Social Services (DHSS) is about to start mailing notification letters to all individuals in the state telling them their personal and health information may have been compromised in a highly sophisticated cyberattack conducted by a nation state threat actor.
The cyberattack was detected on May 2, 2021 and the DHSS was notified about the attack on May 5, and was advised to shut down its systems immediately to prevent further unauthorized access. Details of when the hackers first gained access to DHSS systems has not been released, but it is known that Advanced Persistent Threat (APT) actors had access to DHSS systems for at least 3 days.
The DHSS has previously reported the security incident and issued an update about the breach in August. The latest update, on September 16, explains the potential impact the attack will have on Alaskans. In the latest update, the DHSS said notifications were delayed so as not to interfere with the criminal investigation into the attack.
The cyberattack was extensive and caused major disruption. Some IT systems affected remain offline, including the websites of many divisions. Temporary web pages have been used to host critical information until the websites can be restored. It is not yet known when all systems will be brought back online. The department’s IT infrastructure is complex, so the recovery process is taking a long time.
The cybersecurity firm Mandiant was engaged to conduct a forensic investigation into the cyberattack. In an August update, the DHSS said hackers had exploited a website vulnerability which allowed them to gain access to DHSS data. “This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected,” said DHSS Technology Officer Scott McCutcheon.
All data stored on DHSS infrastructure at the time of the attack is presumed to have been compromised and could potentially be misused, which means the personal and health data of more than 700,000 individuals has likely been breached.
DHSS is currently unaware which information has been accessed or stolen, but it likely includes names, dates of birth, Social Security numbers, phone numbers, addresses, driver’s license numbers, internal identifying numbers (including case reports, protected service reports, Medicaid etc.), health information, financial information and historical information concerning any interactions with the DHSS.
“DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft,” explained the DHSS in its breach notice. The DHSS says it is providing free credit monitoring services to “any concerned Alaskan” as a result of the cyberattack, and a code for signing up for those services is being provided in the breach notification letters, which will be mailed between September 27, 2021 and October 1, 2021.
This is a breach of both the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA).
“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks,” said DHSS Chief Information Security Officer Thor Ryan. “Recommendations for future security enhancements are being identified and provided to state leadership.”
It is not the first time that a data breach has affected all state residents. In January 2019, around 700,000 Alaskans were notified by DHSS about a hacking incident that exposed their personal data. In that incident, the Zeus Trojan had been installed on its network in June 2018.