More than four months ago, the Alaska Department of Health and Social Services (DHHS) was hit with a “highly sophisticated” cyberattack that drove its systems offline — and remain down as DHHS continues its criminal investigation and recovery efforts. Its public notice shows protected health information was likely compromised and possibly stolen during the attack.
A security monitoring firm first noticed signs of a cyberattack on May 2 and informed the Alaska Office of Information Technology Security Office. DHHS was informed of the incident on May 5 and promptly shut down the network to prevent further access to DHSS data and to protect health information.
The investigation is ongoing, but investigators are still unsure of just how many individuals were affected by the incident. As such, all Alaskans who currently or previously used DHHS services are being told they should take precautionary measures to defend themselves against fraud and other nefarious acts.
The compromised data involves any data stored on the DHHS IT infrastructure at the time of the attack and before the IT team shut down the network, including names, dates of birth, Social Security numbers, contact details, driver’s licenses, internal identifiers used for case reports, protect service, reports, and Medicaid, health information, financial details, and case logs of interactions with DHHS.
From its notice, it appears the attack was launched by a nation-state actor or a transnational cybercriminal.
“All affected systems remain offline as we diligently and meticulously move through the three phases of our response. Work is continuing to restore online services in a manner that will better shield DHSS and Alaskans from future cyberattacks,” said DHSS Technology Officer Scott McCutcheon, in a statement.
Balancing HIPAA requirements with investigatory needs
The concern is that officials are aware of the potential risk around possibly “stolen personal information” that occurred during the attack, but have waited far beyond the Health Insurance Portability and Accountability Act requirements in terms of timely notice.
Under HIPAA, covered entities are required to inform individuals within 60 days of discovering a breach of health data. But Alaskan officials say they delayed notifications “to avoid interference with a criminal investigation.”
Instead, DHHS released multiple notices detailing ongoing efforts to remediate the impact of the cyberattack, which began in May. Expectedly, the initial notice provided scant details on the attack, and the follow-up merely provided transparency into the recovery plans. The Aug. 4 report acknowledged that the cyberattack occurred, as well as the steps taken to address and investigate the impact to individuals' data.
The systems review confirmed the attack was designed to be carried out over an undetected, prolonged period of time, and “the attackers took steps to maintain that long-term access even after they were detected,” McCutcheon previously explained.
The notice also detailed the precise steps DHHS intended to take in the wake of the attack. The team first brought its Electronic Vital Records System used by the Health Analytics and Vital Records Section (HAVRS) back online on July 26, to ensure vital records services could resume. Other departments have also made progress with systems restoration.
DHHS confirmed ongoing delays and appreciation for patients from the public, as well. But while transparency around these processes may bode well if there’s an Office for Civil Rights audit, there’s still the matter of patients not knowing their data was stolen for four months after the initial hack occurred.
“This situation demonstrates how the personal welfare of individuals, and the issues around criminal investigations, can be at odds with each other,” Erich Kron, security awareness advocate at KnowBe4, told SC Media. The delayed notification “has placed the victims in a situation of vulnerability for that time.”
“Once informed, potential victims can take steps, such as freezing credit and watching for odd financial transactions. However, without being made aware, they are far less likely to take these measures,” he added. “The decision to trade this notification for an extended criminal investigation is not likely to make any difference with respect to actually arresting the cyber criminals, something that rarely occurs in the real world.”
The struggle between strengthening criminal cases and withholding “potentially actionable information from potential victims” won’t be resolved in the near future, warned Kron. Individuals will need to take proper steps to protect their identity, including locking accounts, avoiding password reuse, and enabling multi-factor authentication.
Ongoing resource challenges
For RiskLens CEO Nick Sanna, the delayed, blanket notice combined with the continued network outage, reflects the complexity of these environments and the need for cybersecurity programs based on risk assessments “that take into account the true loss exposure generated by these kinds of incidents.”
The resource and budget challenges faced by the health care sector are well-documented and mirror those faced in local and municipal governments. When those two sectors combine, the issues and risks faced are heightened. In fact, this is the second data breach reported by the Alaskan DHHS in under three years.
In January 2019, the department notified 100,000 state residents who had previously applied for public assistance services from DHHS that their data had been breached in June 2018. The initial investigation thought just 500 residents were affected by a Zeus/Zbot Trojan. But further review confirmed the incident was far worse than anticipated.
But the Alaska DHHS should not be singled out: these attacks bear near identical hallmarks to multiple data breaches caused by phishing attacks against the Minnesota Department of Human Services in 2018. An initial email compromise occurred on June 28 and a second exploit landed on July 9 — and the IT team did not detect the systems intrusion until August that year.
The investigation could not confirm whether the threat actors accessed or copied data, which led to DHS notifying all patients who had interacted with the State Medical Review Team and DHS Direct Care and Treatment facilities. Employees were also affected by the incident.
While the intrusion was highly alarming, the state hearing into the incident on Oct. 9 revealed the ongoing challenges faced by government health departments. Officials railed against the IT commissioner during the meeting, with one official saying: "DHS IT is kind of a black hole for this committee, unfortunately. We put a lot of money in and don't get a lot of answers out."
The response remains true about ongoing challenges faced by the lower-resourced entities: it’s difficult to be timely with detection and notices due to a lack of resources, including low staff numbers. The IT commissioner described massive backlogs and auditing challenges that posed serious hurdles to an effective response to cyber incidents.
What’s more, “the security team [was] not resourced to fully address persistent threats.” Added to ongoing challenges with patching and detection reported by some of the country’s largest health organizations, past and present breach notices should serve as a reminder that there’s still a long way to go to strengthen the sector’s overall posture.
“That this attack happened at the same time as the Biden administration was issuing its executive order on improving the nation’s cybersecurity is juxtaposing reality and plan,” said Dirk Schrader, global vice president of security research for NTT, part of Netwrix. “A lot of work needs to be done to change the course for cybersecurity in critical infrastructures.”
“Vulnerabilities do not disappear, even more will be discovered in the future, and adversaries will attempt to exploit them,” he added. “Government entities and CNI organizations need to achieve a proactive, resilient posture covering their infrastructure, their identities and their data in a comprehensive way, avoiding security silos.”
