Alaska Health Department Services Affected by Malware AttackLatest in a String of Incidents at Public Health Agencies Globally
Alaska's Department of Health and Social Services is the latest in a series of public health departments hit by a cyberattack in recent weeks.
Earlier this week, the Ireland Health Department revealed that it had been the victim of a recent ransomware attack. Meanwhile, several other state health departments in the U.S., including in Wyoming and Pennsylvania, recently reported mishaps leading to large exposures of sensitive COVID-19 related data.
The Alaska department says its website was the target of a recent malware attack.
"The department is investigating the incident in cooperation with the appropriate authorities and is taking immediate actions to prevent further disruption and harm to its servers, systems and databases," it says in a statement.
The Alaska department's website was taken offline Monday evening and will be unavailable to the public until further details are known about the security incident, department officials say.
"Some services, such as COVID-19 vaccine appointment scheduling and the data dashboards, are hosted by outside sources and can still be accessed through covid19.alaska.gov," the department notes.
The department's services that are currently unavailable include its main website, a background check system, the state of Alaska's vital records system, Alaska's behavioral health and substance abuse management system and the state's system for schools to report vaccine data to public health.
"The department is working as quickly as possible to ensure continuity of services to beneficiaries and providers," the statement says.
Investigators are determining whether any personal or confidential information was compromised, and the department will notify any partners, vendors or individuals who may be identified as being affected, the health department says.
"At this time, there are no details about who initiated the attack, why they targeted DHSS, whether this attack is related to any other recent attacks, or how long the website may be down," the department notes.
The Alaska health department did not immediately respond to Information Security Media Group's request for additional information about the incident, including whether the attack involved ransomware.
A Series of Alaska Breaches
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC notes that the Alaska DHSS has had a number of previous large data breaches.
"Alaska DHSS has a well-earned reputation for having weak information security defenses that make them vulnerable to a cyberattack," he says.
For example, in 2017 and again in 2018, the agency reported that "successful phishing attacks allowed hackers to infiltrate its information systems," he says (see: Victim Count in Alaska Health Department Breach Soars).
The incident in 2018 affected about 700,000 individuals, despite the agency initially reporting the breach to federal regulators as affecting only 501 people.
Also, a breach investigation by the U.S. Department of Health and Human Services' Office for Civil Rights completed in 2012 found that the Alaska DHSS had not performed an information security risk assessment or implemented basic measures to safeguard its electronic protected health information, he notes.
The breach incident investigated in 2012 involved the theft of an unencrypted USB drive. OCR's investigation into that breach ended in a $1.7 HIPAA settlement with the Alaska agency (see: Alaska HIPAA Penalty: $1.7 Million).
A Vulnerable Sector
Kate Borten, president of privacy and security consulting firm The Marblehead Group notes that all types of healthcare entities appear to be vulnerable to cyberattacks during the COVID-19 pandemic.
"Besides taking advantage of weak security controls to gain personally identifiable, hence profitable, data, attackers may be motivated by the desire to disrupt," she notes.
"We are in a socially and politically charged time. Just as some people spread untrue information about COVID, masks and the vaccine, others may express anger and frustration through malware."
The Alaska incident comes on the heels of other cyberattacks and data breaches at public health departments in the U.S. and elsewhere.
Among them was a ransomware attack earlier this week on the Ireland Health Department (see: Irish Healthcare Sector Was Hit by 2 Ransomware Attacks).
Also, the Pennsylvania Health Department said last month that COVID-19 contract-tracing information collected by employees of the department's staffing contractor Insight Global may have been accessible to unauthorized individuals.
The affected information was potentially exposed via an "unauthorized collaboration channel" set up by some Insight Global employees using Google accounts to share information, the vendor says.
The Pennsylvania Health Department says the forensic investigation into the incident is ongoing.
The exposed documents contained at least 72,000 individuals’ names, some of which are associated with additional information, such as phone numbers and email addresses, gender, age, sexual orientation, and COVID-19 diagnosis and exposure status.
"As a result of this incident, the Department of Health has informed Insight Global that it will not renew the contract when it expires July 31, 2021," according to a statement from the department.
The state attorney general's office is investigating the incident, The Associated Press reports.
Lack of Preparation
Privacy attorney Kirk Nahra of the law firm WilmerHale says healthcare entities, including public health departments, have been a favorite target of attackers, particularly during the pandemic. "Many government agencies in general do not seem to be well prepared for these events," he says.
Likewise, Holtzman notes that state and local public health agencies are vulnerable largely due to a lack of adequate investments in technology and security.
That has resulted in public health agencies being "unable to have effective information security management controls to protect against cyberattacks that can expose sensitive information to hackers or allow data to be hijacked and held for ransom," he says.