A May cyberattack against the Alaska Department of Health and Social Services could have exposed most Alaskans’ personal and health information to the attackers, the department said Thursday.
“It is a fair statement to say that any Alaskan could have been compromised by this,” Health and Social Services Commissioner Adam Crum said.
Given the attack’s scale, “we cannot be assured there is a low probability that protected health information was compromised, and therefore, in accordance with (federal law), we are notifying Alaskans their health or personal information may have been compromised,” the department said in a written statement.
The agency hasn’t said who was behind the attack or what the purpose of the attack was.
State health officials said that the type of personal information potentially compromised includes Social Security numbers, birthdates, addresses, phone numbers, driver’s license numbers and health and financial information.
The state will be spending $215,000 to buy free credit monitoring for every Alaskan who asks for it, said Sylvan Robb, assistant commissioner for the department.
Sign-ups for the free credit monitoring service will open by phone (at a number to be announced later) and online Tuesday, the department said.
A notice of the data breach will be emailed to all Permanent Fund dividend applicants between Sept. 27 and Oct. 1. That notice will include a code that can be used to sign up for the credit monitoring service.
The attack was discovered in May, but the department did not tell Alaskans about the possible exposure of personal information until Thursday.
“It was delayed until now because we did not want to interfere with an ongoing criminal investigation,” Crum said.
The department’s chief information security officer, Thor Ryan, said federal law prohibits the state from notifying the public while a criminal investigation takes place, if investigators request secrecy.
He said he couldn’t say who the investigators were, and the department did not say what the target of the investigation was, but the agency did confirm that the attackers were not seeking ransom.
“It is still an ongoing investigation, so there are limitations on what can be shared,” Crum said. The state health department declined to identify the attackers but described them as “a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities.”
The Department of Health and Social Services is by far the state’s largest, overseeing Medicaid — which insures about one-third of Alaska’s population — as well as the Office of Children’s Services, Temporary Aid for Needy Families, public health vaccination clinics and more.
“We basically touch the lives of most Alaskans, I’d say, in one form or another,” said Scott McCutcheon, a technology officer for the department.
He said it’s not clear how many people were affected because the department doesn’t know what was taken.
“There was evidence that data was exfiltrated, but what the contents of that data was, what it contained, we don’t have detailed information as to what was in that,” he said.
Since May, the department’s electronic systems have been either partially or totally offline.
“When this went down, Health and Social Service employees had to revert back to manual analog processes. And that is a very tedious thing. Because whatever work we do get done now and process via paperwork, when the system is back up, it has to be re-logged digitally. And so this is going to be a burden of doing the work two to three times as much,” Crum said.
In one example, the system used to share birth, death and marriage certificates wasn’t restored until August, forcing employees to process those certificates by hand.
The department’s grant-distribution system, which sends money to senior centers and medical facilities, is also running on paper processes, leaving some facilities with an extended wait to get needed funding.
One of the most critical failures has been in the system used to process criminal background checks for new-hired health care workers.
Alaska is experiencing a critical shortage of nurses and specialist staff as hospitals fill with COVID-19 patients. The state has requested hundreds of new workers through a federal-aid program, but their arrival could be delayed by the need to manually process those background checks.
“Depending on circumstances, the process could take up to 15 days,” the Department of Health and Social Services said in a statement.
The administration of Gov. Mike Dunleavy had asked the Alaska Legislature to temporarily waive those background checks under certain circumstances, but his proposed legislation failed after legislators amended it to restrict hospitals’ anti-pandemic measures.
At the state health department, officials said they are continuing to restore services, and there is no evidence that the attackers still have access to state systems.
Department of Health and Social Services officials provided additional information about the cyberattack in an FAQ posted to their website.
Correction: A previous version of this article listed an incorrect telephone number to sign up for free credit monitoring. That phone number will be released Tuesday by the state health department.