HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS

The Alaska Department of Health and Social Services (ADHSS) is notifying ‘more than 500’ individuals that some of their protected health information (PHI) has potentially been accessed and stolen by hackers.

On April 26, the ADHSS discovered malware had been installed on an employee’s computer after suspicious behavior was detected. The investigation revealed malware had been installed – a variant of the Zeus/Zbot Trojan – which is known to be used to steal sensitive information.

The malware was discovered to have communicated with IP addresses in Russia, although it is not known whether the attackers are based in Russia or just using Russian IP addresses. ADHSS has not confirmed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a possibility.

Under the Health Insurance Portability and Accountability Act, HIPAA-covered entities must report data breaches as soon as possible, but no later than 60 days following the discovery of a breach. AHDSS chose to delay the issuing of notifications until just before the deadline to allow investigators to determine the nature and extent of the breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The infected computer contained a range of documents that included sensitive information of individuals in the Northern region of Alaska. Patients affected by the breach had previously had dealings with the ADHSS division of Public Assistance (DPA) through the DPA Northern regional offices.

The types of information potentially stolen include first and last names, phone numbers, dates of birth, pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, Social Security numbers, driver’s license numbers, and other confidential information.

In its breach notice, ADHSS explained it had multiple layers of security in place to prevent malware infections, but in this instance those defenses had been bypassed.

Immediately after the virus was discovered the computer was taken offline to prevent any further data access. The ADHSS Information Technology and Security team is continuing to investigate the breach and will be implementing additional protections to prevent further breaches of this nature.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.