Last week, Alaska’s Department of Health and Social Services (DHSS) disclosed a security breach apparently made by a sophisticated nation-state level attacker.
According to DHSS—which contracted with well-known security firm Mandiant to investigate the breach—the attackers gained a foothold inside DHSS’ network via one of its public-facing websites, from which it pivoted to deeper resources.
A months-long saga
This is not the first report of the DHSS breach. The organization first publicly announced the intrusion on May 18, with a June update announcing a multipronged investigation, and one more in August on completion of the first of three investigatory steps.
In the August update, DHSS disclosed that Mandiant—a subset of larger infosec firm FireEye—completed its initial investigation and concluded that the intrusion was a direct, sophisticated attack rather than a simple drive-by ransomware infestation. “The type of group behind this disruptive attack is a very serious operation with advanced capabilities,” said DHSS Commissioner Adam Crum.
According to DHSS Technology Officer Scott McCutcheon, the attackers were both advanced and persistent: “This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period. The attackers took steps to maintain that long-term access even after they were detected.”
The majority of the technical detail provided by Alaska DHSS came in the August update—last week’s notification instead concerned the attack’s impact on Alaskan citizens.
Data leaked, and Alaskan response
A security monitoring firm performing proactive surveillance first noticed signs of an intrusion on May 2. Alaska’s Office of Information Technology (Security Office) notified DHSS of unauthorized computer access on May 5, after which DHSS reports it immediately shut down systems to deny attackers further access to protected data.
During that (at least) three-day window, attackers potentially had access to personal data, some of which constitutes breach of both HIPAA and Alaska Personal Information Protection Act (APIPA). The number of individuals involved in the attack is still unknown, as is exactly what data may have been exfiltrated—but the attackers potentially had access to “any data stored on the department’s information technology infrastructure,” including but not limited to the following:
- Full names
- Dates of birth
- Social Security numbers
- Telephone numbers
- Driver’s license numbers
- Internal identifying numbers (case reports, protected service reports, Medicaid, etc.)
- Health information
- Financial information
- Historical information concerning a person’s interaction with DHSS
In response, the state of Alaska is offering free credit monitoring to “any concerned Alaskan.” All Alaskan citizens who have applied for a Permanent Fund Dividend will receive an email notification describing the breach and offering a code for the free credit-monitoring service. Concerned Alaskans who do not receive an emailed code will need to contact a toll-free hotline which will be available at the DHSS website beginning Tuesday, September 21.