Cyberattack on Alaska DHSS website includes HIPAA and APIPA breach
Update of October 5, 2021: On September 22, Alaska DHSS reported this incident to HHS as a health plan, and indicated that they were notifying 500,000 individuals (even though there was no evidence of data exfiltration). As of today, some of the state’s divisions are still not fully restored on the web.
The Alaska Department of Health and Social Services (DHSS) is notifying the public today of a security breach of the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA). This breach was caused by a highly sophisticated cyberattack on DHSS that was first detected in May 2021. Notification of this security breach was delayed until now to avoid interference with a criminal investigation.
The breach involves an unknown number of individuals but potentially involves any data stored on the department’s information technology infrastructure at the time of the cyberattack. Due to the potential for stolen personal information, DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft.
Free credit monitoring is being made available to any concerned Alaskan as a result of this breach. More information about the breach, including the breach notification statement and frequently asked questions, are available at dhss.alaska.gov. On Tuesday, Sept. 21, a toll-free hotline will be available (5 a.m. to 5 p.m. Alaska time) to answer questions and assist people with signing up for the free credit monitoring service. That phone number and the website for the credit monitoring service will be provided on the DHSS website at dhss.alaska.gov.
Between Sept. 27 and Oct. 1, 2021, email notices will be sent to all Alaskans who have applied for a Permanent Fund Dividend which will include a code they can use to sign up for the credit monitoring service. People who don’t receive a code will need to contact the toll-free hotline for assistance. Questions may also be directed to DHSS at 1-888-484-9355 or [email protected], however the sign-up process for the credit monitoring service will need to go through the toll-free hotline available Sept. 21.
As always, Alaskans should monitor for unusual activity on their online accounts and report any suspicious behavior to the appropriate authorities. For more information on how to avoid and report identity theft, please visit the U.S. Federal Trade Commission’s (FTC) website, IdentityTheft.gov, or call 1-877-438-4338. The FTC will collect the details of your situation.
“Alaskans entrust us with important health information, and we take that responsibility very seriously,” said DHSS Commissioner Adam Crum. “Unfortunately, despite our best efforts at data protection, as the investigation into the cyberattack progressed, it became clear that a breach of personal and health information had occurred. We are notifying the public of this breach, as required by law, and want Alaskans who may have provided personal information to DHSS to exercise caution. Concerned Alaskans are encouraged to sign up for the free credit monitoring service being offered.”
“Regrettably, cyberattacks by nation-state-sponsored actors and transnational cybercriminals are becoming more common and are an inherent risk of conducting any type of business online,” said DHSS Technology Officer Scott McCutcheon. “As soon as this incident was discovered, our Information Technology staff acted swiftly to prevent further access by the attackers to its systems. All affected systems remain offline as we diligently and meticulously move through the three phases of our response. Work is continuing to restore online services in a manner that will better shield DHSS and Alaskans from future cyberattacks.”
“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks,” said DHSS Chief Information Security Officer Thor Ryan. “Recommendations for future security enhancements are being identified and provided to state leadership.”
Through proactive surveillance, a security monitoring firm noticed the first signs of the cyberattack on May 2, 2021. The State of Alaska Office of Information Technology Security Office then notified DHSS of unauthorized computer access on May 5, 2021. As soon as the attack was detected, DHSS immediately shut down systems to protect individuals’ information and deny further access by the attacker to DHSS data. Before DHSS implemented the shutdown, the attackers potentially had access to the following types of individuals’ information:
- Full names
- Dates of birth
- Social Security numbers
- Telephone numbers
- Driver’s license numbers
- Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
- Health information
- Financial information
- Historical information concerning a person’s interaction with DHSS
More details about this cyberattack can be found in the attached FAQ that was updated today, on dhss.alaska.gov, and in three previous press releases:
- 05/18: DHSS website experiencing cyberattack; some services disrupted as investigation is conducted
- 06/07: Investigation and response to cyberattack ongoing; divisions implement alternate business processes to continue serving Alaskans
- 08/04: Detection and analysis phase of cyberattack response complete; vital records section back online, working through backlog