Disclosure part of lengthy investigation into sophisticated attack that took place in May
The Alaska Department of Health and Social Services (DHSS) has warned that a “highly sophisticated” cyber-attack may have exposed residents’ personal data, including financial information.
The “malware attack”, which took place in May, has affected “an unknown number of individuals but potentially involves any data stored on the department’s information technology infrastructure at the time of the cyber-attack”, said the DHSS in a press release (PDF) published yesterday (September 16).
“Due to the potential for stolen personal information, DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft.”
The DHSS website was taken offline on May 17 after an intrusion that the agency said was first detected on May 2.
Before systems were shut down attackers potentially had access to full names, dates of birth, Social Security numbers, addresses, phone numbers, driver’s license numbers, health information, and financial information.
Internal identifying numbers such as for Medicaid or case reports, and historical information concerning individuals’ interaction with DHSS were also potentially exposed.
The DHSS has been working to restore a raft of online services disabled by the attack. DHSS technology officer Scott McCutcheon said that “all affected systems remain offline as we diligently and meticulously move through the three phases of our response”.
The department said it delayed its latest announcement, which states it has reported the breach to the Health Insurance Portability and Accountability Act (HIPAA) and Alaska Personal Information Protection Act (APIPA), “to avoid interference with a criminal investigation”.
Help for Alaskans
A hotline will be operational from Tuesday (September 21) to field questions from concerned residents and, if they wish, help them sign up for a free credit monitoring service.
“Alaskans entrust us with important health information, and we take that responsibility very seriously,” said DHSS commissioner Adam Crum.
“Unfortunately, despite our best efforts at data protection, as the investigation into the cyber-attack progressed, it became clear that a breach of personal and health information had occurred.”
DHSS’ previous statement on the incident, on August 4, said there was “no current evidence that Alaskans’ protected health information or personally identifiable information was stolen”.
DHSS technology officer Scott McCutcheon said at the time that “the attackers took steps to maintain … long-term access even after they were detected”.
In the latest statement DHSS CISO Thor Ryan commented: “DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyber-attacks.”