- The Alaska Department of Health and Social Services recently updated its breach notification to include substantially more patients than were included in its initial announcement from June 2018. But in the process, those estimates also proved incorrect.
In 2018, DHSS announced that a malware attack on its eligibility database occurred between April 26 and April 30. The database included patient names, Social Security numbers, benefit information, dates of birth, addresses, and other personal details. At the time, letters were sent to just 501 patients.
However, on January 22 officials said their initial estimates were wrong and began sending notifications to 500,000 to 700,000 patients, informing them that their data was included in the initial hack. What’s worse is that the next day, officials once again modified that number to just 87,000 patients, according to local news outlet KTVA.
The hack occurred when an applicant emailed a request for assistance to DHSS to a state employee. As emails sent to the department often contain attachments, the employee opened what turned out to be a malicious file with a Zeus/Zbot trojan, officials said.
According to the notice, the hackers installed unauthorized software and performed “other suspicious computer behavior.” The hackers had access to the laptop’s hard drive with the “Day One” virus that proliferated before DHSS’ IT team was able to stop it.
“As soon as our IT folks realized what was happening, they shut it down so it couldn’t go any further, but at that point it had gotten into several layers of our security,” Shawnda O’Brien, Director of the Division of Public Assistance told KTVA. “In this case we were able to catch it, but by then the damage had already been done.”
As for the delayed notification, officials said it was due to the months-long FBI investigation into the extent of the breach, including a mass volume of data to research. The FBI is still investigating the breach, but still haven’t been able to identify the source.
Healthcare and government sectors have been prime targets for hackers in recent years, with several state health agencies reporting breaches within the last six months. Most recently, Kent County Community Mental Health notified about 2,200 patients that a phishing attack potentially breached their personal data.
But Minnesota Department of Human Services had one of the most notable in recent history, given the four-month delay in reporting the breach to the 21,000 patients impacted by the security incident. The state’s hearing that followed revealed a host of issues, including a lack of resources and staff to handle the cyberattack.