When the state’s health department website was breached in May, cyberattackers had access to the private health information of Alaskans, the state announced today.
Adam Crum, the commissioner of the Department of Health and Social Services, said the department delayed the announcement to avoid interfering with a criminal investigation.
“It is a fair statement to say that any Alaskan could have been compromised by this,” he said.
The security breach violated state and federal privacy laws. The state does not know how many people’s data was accessed. The Department of Health and Social Services is urging all Alaskans who have provided data to the department to act to protect themselves from identity theft.
The department found evidence that the cyberattackers took some data, but they don’t know what they took.
The state is making free credit monitoring available to any Alaskan concerned about the breach. On Tuesday, the state will launch a toll-free hotline to answer questions and help people to sign up for credit monitoring. The number will be on the department’s website.
All Alaskans who’ve applied for permanent fund dividends will receive an email between Sept. 27 and Oct. 1 with a code to sign up for the credit monitoring.
The state also cautioned Alaskans to monitor their online accounts for unusual activity. Incidents of identity theft can be reported to the Federal Trade Commission.
State officials said they used the PFD application list because the contact information is current, but that the dividend division wasn’t affected by the breach. They said most Alaskans’ lives are touched by one DHSS program or another, so it made sense to reach many people through the PFD applications.
When department leaders last publicly discussed the attack in early August, they said there was “no current evidence that Alaskans’ protected health information or personally identifiable information was stolen.”
Department Chief Information Security Officer Thor Ryan said it was worded to acknowledge that the investigation wasn’t complete.
State officials said it was up to law enforcement to delay the announcement. They also did not disclose which agencies are conducting the investigation, saying they were asked not to.
The federal Health Information Portability and Accountability Act requires that any breach be disclosed no later than 60 days after it’s discovered.
Department technology officer Scott McCutcheon said there’s no sign that attackers are still accessing department data, or that they had accessed any other state government department’s information.
The department is still recovering from the attack, restoring different services. State security contract Mandiant recommended that the state not use backup files to rebuild its sites, so it’s building the services “from the ground up,” McCutcheon said.
Crum said responding to the breach required that workers rely on paperwork. He also said the department has been focusing on both the security breach and the pandemic response.
“We recognize every single day the burden this has put on our citizens, not to mention my employees,” Crum said.
Crum acknowledged the delays, comparing it to rebuilding a plane while flying it.
“We know that these systems being down has put a burden on the general public in an already tough year,” he said. “But this is something that we’re continuing to grind through. We are working to get them up online as fast as possible, while also protecting for future attacks.”
The department is working with Mandiant to assess how to improve its security.
The department said the attackers potentially had access to the following types of individual’s information: full names; dates of birth; Social Security numbers; addresses; telephone numbers; driver’s license numbers; health information; financial information; and historical information concerning a person’s interaction with DHSS.
Editor’s note: This story has been updated with more information from the Department of Health and Social Services.