Arjuna Kodisinghe - stock.adobe.
Alaska Health Department Notifies Residents of Cyberattack
The Alaska Department of Health and Social Services began notifying the public about a cyberattack that impacted an unknown number of Alaskans.
The Alaska Department of Health and Social Services (DHSS) began notifying Alaska residents about a May 2021 cyberattack that impacted an unknown number of Alaskans and may have exposed protected health information (PHI). DHSS said it delayed notifying impacted individuals until mid-September in order to avoid interference with a criminal investigation.
The breach potentially gave hackers access to any data stored on DHSS’s IT infrastructure at the time of the attack. The exposed information may have included full names, Social Security numbers (SSNs), addresses, health information, financial information, internal identification numbers, birth dates, and telephone numbers.
On May 18, DHSS posted its first press release regarding the incident and stated that its website would be taken offline while authorities conducted an investigation. The department’s background check system, State of Alaska Vital Records system, Behavioral Health and Substance Abuse Management System (AKAIMS), and numerous other health department services were taken offline.
On June 7, DHSS announced that its investigation was still ongoing. The health department explained that it was thoroughly investigating and analyzing the attack while attempting to recover systems and strengthen its IT services.
“I’m sure Alaskans have many questions about this attack, but I ask for their patience and understanding to give our team the time needed to complete the investigation,” Adam Crum, DHSS commissioner, said in the June 7 statement.
“Just as law enforcement agencies are cautious in releasing details during an active investigation, we must be careful not to inadvertently give the attackers any details about our actions that could further hinder our recovery.”
DHSS announced on August 4 that it had identified the sophisticated hacking group responsible for conducting the cyberattack and stated that it had no reason to believe that ransomware was involved or that protected health information was stolen.
“This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected,” said Scott McCutcheon, DHSS technology officer.
“In addition to getting everything back up and running, our team is taking strong, preventative actions and developing more robust incident response capabilities so we can quickly respond to any future cyberattacks.”
The September announcement revealed that investigators could no longer rule out a PHI breach. As a result, any concerned Alaskan may sign up for free credit monitoring.
“Alaskans entrust us with important health information, and we take that responsibility very seriously,” Crum stated in the September announcement.
“Unfortunately, despite our best efforts at data protection, as the investigation into the cyberattack progressed, it became clear that a breach of personal and health information had occurred.”
Some of the health department’s services are still offline, and DHSS recommended that residents looking for specific services call the department directly.