A major cybersecurity breach of Alaskans’ private health and personal information was disclosed Thursday by Adam Crum, commissioner of the Department of Health and Social Services.
The security breach involved protected personal information under HIPAA and the Alaska Personal Information Protection Act (APIPA).
Officials said they do not know the exact scope of the breach or how many records may have been exposed. “It’s a fair statement to say that any Alaskan could have been compromised with this,” Crum said Thursday at a press conference.
“In terms of the total number of actual people who had a breach of personal information, we could not ascertain that number at all. There was evidence that data was exfiltrated or removed but we don’t have information what was in that,” said DHSS technology officer Scott McCutcheon.
DHSS formally notified the public Thursday about the breach of consumer information. But the cyberattack was first discovered in early May. Public notification was delayed to avoid interference with a federal criminal investigation, which is still underway, agency officials said.
The breach potentially involves any data stored online at DHSS at the time of the cyberattack, the agency said. Accessed information may include the following:
• Full names
• Dates of birth
• Social Security numbers
• Telephone numbers
• Driver’s license numbers
• Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
• Health information
• Financial information
• Historical information on public interactions with DHSS
DHSS is encouraging Alaskans who have provided personal information to the agency, or who may have data stored online with DHSS, to take action to protect themselves from identity theft.
“We basically touch the lives of most every Alaskan,” McCutcheon said. “If we needed to notify Alaskans of the breach, we basically have to cover the whole state.”
Free credit monitoring is being made available by the state as a result of the breach. A toll-free hotline is scheduled to open on Sept. 21 to answer questions and help people sign up for the free credit monitoring. The phone number and the website for the credit monitoring service will be provided on the DHSS website at dhss.alaska.gov.
Between Sept. 27 and Oct. 1, email notices also will be sent to Alaskans who have applied for a Permanent Fund dividend. It will include a code they can use to sign up for the credit monitoring service. People who don’t receive the code will need to contact the toll-free hotline for assistance.
DHSS also is taking questions at its toll free number: 1-888-484-9355, or people can email PrivacyOfficial@alaska.gov. But the sign-up process for the credit monitoring service will need to go through the toll-free hotline, available on Sept. 21.
“Alaskans entrust us with important health information, and we take that responsibility very seriously,” Crum said. “Unfortunately, despite our best efforts at data protection, as the investigation into the cyberattack progressed, it became clear that a breach of personal and health information had occurred. We are notifying the public of this breach, as required by law, and want Alaskans who may have provided personal information to DHSS to exercise caution.”
A security monitoring firm noticed signs of the cyberattack on May 2. The Office of Information Technology Security Office notified DHSS of unauthorized computer access on May 5. DHSS immediately shut down systems to protect individuals’ information.
The cybersecurity company FireEye identified the attackers as “a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities.”
DHSS declined to comment on the identity of the group due to the ongoing investigation. Security of DHSS online services are being strengthened and fortified to prevent future intrusions and attacks.
“There is a low probability that there is any remaining entity or attacker in our department. There are potentially unknown threats still present but based on all information we have there is no indication of a compromise at this time,” McCutcheon said.