Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Health Dept. Cyber Attack Exposes Most Alaskans’ Personal Data

The attack against the Department of Health and Social Services could have released personal and health information to the hackers. The state will spend $215,000 for free credit monitoring for those who want it.

(TNS) — A May cyberattack against the Alaska Department of Health and Social Services could have exposed most Alaskans' personal and health information to the attackers, the department said Thursday.

"It is a fair statement to say that any Alaskan could have been compromised by this," Health and Social Services Commissioner Adam Crum said.

Given the attack's scale, "we cannot be assured there is a low probability that protected health information was compromised, and therefore, in accordance with (federal law), we are notifying Alaskans their health or personal information may have been compromised," the department said in a written statement.

The agency hasn't said who was behind the attack or what the purpose of the attack was.

State health officials said that the type of personal information potentially compromised includes Social Security numbers, birthdates, addresses, phone numbers, driver's license numbers and health and financial information.

The state will be spending $215,000 to buy free credit monitoring for every Alaskan who asks for it, said Sylvan Robb, assistant commissioner for the department.

Sign-ups for the free credit monitoring service will open by phone (at a number to be announced later) and online Tuesday, the department said.

A notice of the data breach will be emailed to all Permanent Fund dividend applicants between Sept. 27 and Oct. 1. That notice will include a code that can be used to sign up for the credit monitoring service.

The attack was discovered in May, but the department did not tell Alaskans about the possible exposure of personal information until Thursday.

"It was delayed until now because we did not want to interfere with an ongoing criminal investigation," Crum said.

The department's chief information security officer, Thor Ryan, said federal law prohibits the state from notifying the public while a criminal investigation takes place, if investigators request secrecy.

He said he couldn't say who the investigators were, and the department did not say what the target of the investigation was, but the agency did confirm that the attackers were not seeking ransom.

"It is still an ongoing investigation, so there are limitations on what can be shared," Crum said. The state health department declined to identify the attackers but described them as "a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities."

The Department of Health and Social Services is by far the state's largest, overseeing Medicaid — which insures about one-third of Alaska's population — as well as the Office of Children's Services, Temporary Aid for Needy Families, public health vaccination clinics and more.

"We basically touch the lives of most Alaskans, I'd say, in one form or another," said Scott McCutcheon, a technology officer for the department.

He said it's not clear how many people were affected because the department doesn't know what was taken.

"There was evidence that data was exfiltrated, but what the contents of that data was, what it contained, we don't have detailed information as to what was in that," he said.

Since May, the department's electronic systems have been either partially or totally offline.

"When this went down, Health and Social Service employees had to revert back to manual analog processes. And that is a very tedious thing. Because whatever work we do get done now and process via paperwork, when the system is back up, it has to be re-logged digitally. And so this is going to be a burden of doing the work two to three times as much," Crum said.

In one example, the system used to share birth, death and marriage certificates wasn't restored until August, forcing employees to process those certificates by hand.

The department's grant-distribution system, which sends money to senior centers and medical facilities, is also running on paper processes, leaving some facilities with an extended wait to get needed funding.

One of the most critical failures has been in the system used to process criminal background checks for new-hired health care workers.

Alaska is experiencing a critical shortage of nurses and specialist staff as hospitals fill with COVID-19 patients. The state has requested hundreds of new workers through a federal-aid program, but their arrival could be delayed by the need to manually process those background checks.

"Depending on circumstances, the process could take up to 15 days," the Department of Health and Social Services said in a statement.

The administration of Gov. Mike Dunleavy had asked the Alaska Legislature to temporarily waive those background checks under certain circumstances, but his proposed legislation failed after legislators amended it to restrict hospitals' anti-pandemic measures.

At the state health department, officials said they are continuing to restore services, and there is no evidence that the attackers still have access to state systems.

Department of Health and Social Services officials provided additional information about the cyberattack in an FAQ posted to their website.

(c)2021 the Alaska Dispatch News (Anchorage, Alaska) Distributed by Tribune Content Agency, LLC.
Special Projects
Sponsored Stories
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?