State health department: Alaskans’ personal information was exposed in May cyberattack

ANCHORAGE, Alaska (KTUU) - Months after Alaska’s state health department was the target of a cyberattack that disabled many online services for Alaska residents, state officials say the attack breached stores of personal information and potentially exposed it.

In May, the Alaska Department of Health and Social Services was hit by a cyberattack that disrupted a long list of services, including background checks and obtaining death and birth certificates. The department’s main website was down, but the state’s data hub for tracking COVID-19 remained online.

On Thursday, the department announced that during the cyberattack in May, there was a breach of the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act. In a press release, the department said it did not notify Alaskans of this breach sooner “to avoid interference with a criminal investigation.”

In a press conference also on Thursday, department Cybersecurity Officer Thor Ryan said it was not up to the state health department to decide whether or when to alert Alaskans to the fact that their information was exposed. The timeline of when to make that information public was dictated by the investigating law enforcement entity, he said.

“It’s not up to us to choose when we do that,” Ryan said. “Under HIPPA, we are required to delay notification if there is an active law enforcement investigation and we are requested to delay notification.”

When asked who conducted the investigation, Ryan said the agency requested that they not be named.

During the press conference, department Commissioner Adam Crum said it was fair to say that the personal information of all Alaskans may have been exposed in this attack.

“The breach involves an unknown number of individuals but potentially involves any data stored on the department’s information technology infrastructure at the time of the cyberattack,” the release states. “Due to the potential for stolen personal information, DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft.”

Before the department shut down its systems, attackers “potentially had access” to the following information:

• Full names
• Dates of birth
• Social Security numbers
• Addresses
• Telephone numbers
• Driver’s license numbers
• Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
• Health information
• Financial information
• Historical information concerning a person’s interaction with DHSS

The department is utilizing the list of people who applied for a Permanent Fund dividend to send out emails that will include a code people can use to sign up for free credit monitoring the state is offering in light of this information exposure. Crum confirmed Thursday that the cyberattack is limited to the state health department, and the department is simply utilizing contact information for PFD applicants to reach more people.

Sylvan Robb, administrative services director for the department, said the opportunity to have that credit monitoring service is open to all Alaskans, and that the contract to provide that service costs about $215,000.

To ask questions, call 1-888-484-9355 or email privacyofficial@alaska.gov. Alaskans will be able to sign up for the credit monitoring via a toll-free hotline the department is making available next Tuesday, Sept. 21. The phone number and website to sign up for the service will be provided on the department’s website.

The evidence from the investigation currently suggests the attack was contained within the state health department, said Scott McCutchen, the department’s technology officer, though he said the possibility of lateral movement to other departments always exists.

In its last press release on Aug. 4, the department wrote that “At this time, the investigation has found no indications that this was a ransomware attack and there is no current evidence that Alaskans’ protected health information or personally identifiable information was stolen.”

Nowhere in that release did the department state that there was the potential of personal information being exposed or compromised. However, the department did address it in an accompanying frequently asked questions document.

“At this time, Mandiant (a cybersecurity firm) has thoroughly examined the department’s technology infrastructure and has currently found no evidence that Alaskans’ protected health information or personally identifiable information has been stolen,” a section from the frequently asked questions document states. “However, this is still a dynamic situation, and all systems are continuing to be monitored. If at any time DHSS becomes aware of compromised protected health information or personally identifiable information, the department will notify partners, vendors and individuals who were directly affected by the attack.”

Three months after the initial cyberattack, the department announced it had gotten its vital records section — the section responsible for processing birth and death certificates — back online, but that staff were working through a backlog of requests. The department had begun using a manual process to fulfill certificate requests and conduct background checks in June.

A press release from the department when the vital records section came back online said that those responsible for the cyberattack were “a highly sophisticated group known to conduct complex cyberattacks against organizations such as state governments and health care entities.”

Editor’s note: This article has been updated with additional information.

Copyright 2021 KTUU. All rights reserved.