The Alaska Department of Heath and Social Services is reporting of a security breach of the Health Insurance Portability and Accountability Act (HIPAA) and the Alaska Personal Information Protection Act (APIPA). The breach was caused by a highly sophisticated cyberattack on the DHSS that was first detected in May 2021. Notification of the security breach was reportedly delayed till Thursday to avoid interference with a criminal investigation. The breach involves an undetermined amount of individuals but possibly involves any data stored on the department’s information technology infrastructure at the time of the cyberattack.
A security monitoring firm noticed the first signs of the cyberattack on May 2, 2021. The State of Alaska Office of Information Technology Security Office then notified DHSS of unauthorized computer access on May 5, 2021. As soon as the attack was detected, DHSS immediately shut down systems to protect individuals’ information and deny further access by the attacker to DHSS data. Before DHSS implemented the shutdown, the attackers potentially had access to the following types of individuals’ information:
- Full names
- Dates of birth
- Social Security numbers
- Addresses
- Telephone numbers
- Driver’s license numbers
- Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
- Health information
- Financial information
- Historical information concerning a person’s interaction with DHSS
Due to the potential for stolen personal information, DHSS urges all Alaskans who have provided data to DHSS, or who may have data stored online with DHSS, to take actions to protect themselves from identity theft.
Free credit monitoring is being made available to any concerned Alaskan as a result of this breach. More information about the breach, including the breach notification statement and frequently asked questions, are available at dhss.alaska.gov. On Tuesday, Sept. 21, a toll-free hotline will be available (5 a.m. to 5 p.m. Alaska time) to answer questions and assist people with signing up for the free credit monitoring service. That phone number and the website for the credit monitoring service will be provided on the DHSS website at dhss.alaska.gov.
Between Sept. 27 and Oct. 1, 2021, email notices will be sent to all Alaskans who have applied for a Permanent Fund Dividend which will include a code they can use to sign up for the credit monitoring service. People who don’t receive a code will need to contact the toll-free hotline for assistance. Questions may also be directed to DHSS at 1-888-484-9355 or PrivacyOfficial@alaska.gov, however the sign-up process for the credit monitoring service will need to go through the toll-free hotline available Sept. 21.
As always, Alaskans should monitor for unusual activity on their online accounts and report any suspicious behavior to the appropriate authorities. For more information on how to avoid and report identity theft, please visit the U.S. Federal Trade Commission’s (FTC) website, IdentityTheft.gov, or call 1-877-438-4338. The FTC will collect the details of your situation.
DHSS Commissioner Adam Crum:
“Alaskans entrust us with important health information, and we take that responsibility very seriously. Unfortunately, despite our best efforts at data protection, as the investigation into the cyberattack progressed, it became clear that a breach of personal and health information had occurred. We are notifying the public of this breach, as required by law, and want Alaskans who may have provided personal information to DHSS to exercise caution. Concerned Alaskans are encouraged to sign up for the free credit monitoring service being offered.”
DHSS Technology Officer Scott McCutcheon:
“Regrettably, cyberattacks by nation-state-sponsored actors and transnational cybercriminals are becoming more common and are an inherent risk of conducting any type of business online. As soon as this incident was discovered, our Information Technology staff acted swiftly to prevent further access by the attackers to its systems. All affected systems remain offline as we diligently and meticulously move through the three phases of response. Work is continuing to restore online services in a manner that will better shield DHSS and Alaskans from future cyberattacks.”
DHSS Chief Information Security Officer Thor Ryan:
“DHSS is continuing work to further strengthen its processes, tools and staff to be more resilient to future cyberattacks. Recommendations for future security enhancements are being identified and provided to state leadership.”
More details about this cyberattack can be found in the attached FAQ that was updated today, on dhss.alaska.gov, and in the attached links below:
- 05/18: DHSS website experiencing cyberattack; some services disrupted as investigation is conducted
- 06/07: Investigation and response to cyberattack ongoing; divisions implement alternate business processes to continue serving Alaskans
- 08/04: Detection and analysis phase of cyberattack response complete; vital records section back online, working through backlog
Additional information: