Post-Attack, Health Agency Notifying 'All Alaskans'Alaska DHSS' IT Systems Are Still Recovering from Nation-State-Sponsored Attack
Alaska's Department of Health and Social Services says it is notifying "all Alaskans" that their information may have been compromised in a "highly sophisticated" nation-state-sponsored cyberattack that was detected in May, from which the department is still recovering.
In a statement on Thursday, the department says notification to individuals affected by the security breach will begin on Sept. 27, and was delayed several months to "avoid interference with a criminal investigation" into the incident.
All affected systems remain offline as DHSS continues to work through its recovery, the statement notes. DHSS does not yet have a timeline for when all services that are currently offline will be back online. Many divisions only have temporary webpages available currently, the department says.
“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks,” said Thor Ryan, the department's CISO, in the statement. “Recommendations for future security enhancements are being identified and provided to state leadership.”
So far, there is no indication that the incident involved ransomware, DHSS says.
DHSS says in the statement that it does not know exactly what information was compromised or who specifically might be affected, "which is why all Alaskans are being notified."
Potentially exposed information includes names, dates of birth, Social Security numbers, addresses, phone numbers, driver’s license numbers, internal identifying numbers - including case reports, protected service reports, Medicaid health information, financial information and historical information concerning individuals’ interaction with the department.
Alaska DHSS did not immediately respond to an Information Security Media Group request for additional details about the incident, including an estimate of the total number of individuals to be notified.
Statistics from the Alaska Department of Labor and Workforce Development show that Alaska's 2020 population is nearly 730,000.
This is not the first time the state's DHSS has notified nearly every individual in the state of a breach potentially compromising their personally identifiable and protected health information.
In January 2019, DHSS said it was notifying up to 700,000 individuals of a June 2018 hacking incident potentially affecting their PII and PHI (see: Victim Count in Alaska Health Department Breach Soars).
A statement issued by DHSS in June 2018 noted that the breach resulted from a division of public assistant computer in the state's northern region being infected with the Zeus/Zbot Trojan virus.
DHSS' recent statement notes that it is "coordinating its efforts" with the state office of IT to determine if the May 2021 incident "is related to any other cyberattacks either in Alaska or outside of Alaska."
In its statement, the department says the nation-state sponsored attacker exploited a vulnerable website and spread from there. "Providing any further specific details could give our attackers information that would help them, and others, be more successful in future cyberattacks."
The department says it has no evidence that the attackers are still active in its environment. It says however that it continues to address potential risks as part of the response conducted in partnership with third-party cybersecurity firm FireEye and its Mandiant unit, the state's security office, and law enforcement agencies.
"There is real concern that this group will come back to try again, so we continue to make our environment more resilient while monitoring our systems for new threats," DHSS says.
The department notes that it has so far spent at least $459,500 on the cyberattack - the amount of its contract with FireEye and Mandiant - in addition to the cost of an as-yet-unknown total of hours DHSS staff spent working on recovery from the incident.
"The large size of the department’s IT infrastructure and complexity of the data and systems used by the department have required a careful, meticulous approach that takes time to make our services more resilient and get them back online," DHSS says.
As systems come back online, DHSS says, it is taking steps to make them as resilient as possible to protect against future cyberattacks. "Additional steps are being planned for post-incident hardening of our IT infrastructure."
The May cyberattack on DHSS came amid several other security incidents involving public health departments in the U.S. and elsewhere.
They included a May ransomware attack on the Ireland Health Department and COVID-19 data exposures in public health departments in Wyoming and Pennsylvania (see: Alaska Health Department Services Affected by Malware Attack).
The breadth and scope of the information public health departments hold on state residents make these entities appealing targets for hacking incidents, says Mac McMillan, CEO of privacy and security consultancy CynergisTek.
"The state has many different types of information regarding their residents, some of which is very personal, some of which has financial value and still other that is potentially embarrassing," he says.
The Alaska DHSS has been the victim of another high-profile data security incident besides the 2018 cyberattack and the most recent one.
In 2012, department agreed with a $1.7 million HIPAA settlement with the U.S. Department of Health and Human Services' Office for Civil Rights in the wake of a 2009 breach involving an unencrypted USB drive potentially containing Medicaid beneficiaries' health information (see: Alaska HIPAA Penalty: $1.7 Million).
HHS OCR's investigation into that incident determined that DHSS had a number of security shortcoming, including failure to complete a risk assessment and to implement sufficient risk management measures.