The Alaska Department of Health and Social Services (DHSS) is about to begin mailing notification letters to all people in the state to let them know about the potential compromise of their personal and health information due to a highly sophisticated cyberattack carried out by a nation-state threat actor.
The cyberattack was discovered on May 2, 2021 and the DHSS was informed regarding the attack on May 5, and was told to de-activate its systems right away to avoid further unauthorized access. Particulars of when the attackers initially acquired access to DHSS systems were not disclosed, however, it is well-known that Advanced Persistent Threat (APT) actors got access to the systems of DHSS for about 3 days.
The DHSS has earlier announced the security incident and released an update concerning the breach in August. The most recent update on September 16 clarifies the probable effect the attack will have on Alaskans. The DHSS also said notifications were late so as not to obstruct the criminal investigation into the cyberattack.
The cyberattack was substantial and prompted big disruption. A number of IT systems affected stay unavailable, such as the sites of several divisions. Temporary sites were utilized to host critical files until the web pages can be reactivated. There is no date yet when all systems will be back on the internet. The department’s IT infrastructure is complicated, therefore the recovery progression is taking quite a while
The cybersecurity company Mandiant was engaged to do a forensic investigation into the cyberattack. In an August news, the DHSS stated hackers had exploited a site vulnerability that enabled them to obtain access to DHSS data. This sophisticated attack was carried out undetected over an extended period of time. The attackers took steps to sustain that long-time access even after they were discovered, stated DHSS Technology Officer Scott McCutcheon.
All information kept on DHSS infrastructure during the attack is thought to have been compromised and can possibly be misused, meaning the personal and health records of more than 700,000 persons have probably been breached.
DHSS is presently not aware which records were accessed or stolen, nevertheless, it possibly includes names, dates of birth, phone numbers, addresses, Social Security numbers, driver’s license numbers, internal identifying numbers (which include case reports, protected service reports, Medicaid and so on.), health data, financial data and historical details regarding any connections with the DHSS.
DHSS urges all Alaskans who presented information to DHSS, or who may have records saved on the web with DHSS, to take steps to safeguard themselves from identity theft,” mentioned in the DHSS breach notice. The DHSS states it is offering free credit monitoring services to “any affected Alaskan” because of the cyberattack, and a code for registering for those services is being given in the breach notification letters, which is going to be sent between September 27, 2021 and October 1, 2021.
This breach incident both concerns the Alaska Personal Information Protection Act (APIPA) and the Health Insurance Portability and Accountability Act (HIPAA).
“DHSS is still working to further reinforce its processes, tools and employees to be tougher against upcoming cyberattacks, stated DHSS Chief Information Security Officer Thor Ryan. Advice for long-term security enhancements is being determined and offered to state leadership.
It isn’t the first time that a data breach has impacted all state citizens. In January 2019, about 700,000 Alaskans were informed by DHSS regarding a hacking case that exposed their personal information. In that incident, the Zeus Trojan had been installed on its network in June 2018.