Alaska DHSS Says May 2021 Cyberattack Could Impact All Alaskans

Following a highly sophisticated cyberattack, believe to have been managed by a nation state threat actor, the Alaska Department of Health and Social Services (DHSS) has initiated a correspondence project to inform all state citizens that there PHI may have been infiltrated in the data breach. 

This breach was initially discovered on May 2, 2021, three days before the DHSS made aware of it and moved to disable its networks to prevent any additional unauthorized access. It remains unknown as to when the cybercriminals first obtained access to DHSS databases. However it has been revealed that Advanced Persistent Threat (APT) actors had been active on DHSS databases for a minimum of three days.

A September 16 press release confirmed that breach notifications were initially delayed to avoid any impact on the criminal investigation.

Third party cybersecurity firm Mandiant was contract to investigate the data breach and discovered, according to an update during August the those responsible for the attack had targeted a vulnerability in the corporate website. This weak point enable the hackers to access to DHSS data.

DHSS Technology Officer Scott McCutcheon said: “This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected”.

It is believe that, potentially, all data held on DHSS databases when the attack occurred may have been compromised and could potentially be used for ill means. In total, this include the PHI of over 700,000 people.

DHSS is currently unaware which information has been accessed or stolen, but it likely includes names, dates of birth, Social Security numbers, phone numbers, addresses, driver’s license numbers, internal identifying numbers (including case reports, protected service reports, Medicaid etc.), health information, financial information and historical information concerning any interactions with the DHSS.

DHSS in its breach notice said: “DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft. “

Additionally the DHSS is making available complimentary credit monitoring services to “any concerned Alaskan” impacted by the cyberattack, and a code for signing up for those services is available in the breach notification letters, which will be sent out from September 27, 2021 to October 1, 2021.

Previously, in early 2019, the DHSS informed approximately 700,000 Alaskans that their personal data was exposed in a cyberattack that deployed the Zeus Trojan. The malicious Trojan had been in place on the DHSS databases since June 2018.

DHSS Chief Information Security Officer Thor Ryan: “DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks. Recommendations for future security enhancements are being identified and provided to state leadership.”