Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
Victim Count in Alaska Health Department Breach Soars2018 Breach Report Said 501 Affected, But Now Up to 700,000 Being Notified
Alaska state authorities are notifying up to 700,000 individuals of a health department data breach that originally was reported to federal regulators last June as affecting only 501 people.
The spike in potential victims is an extreme example of the challenges some breached entities face when trying to determine the scope of a security incident.
"This situation could ... reflect just the overall difficulty of investigating some of these incidents and recognizing how far into systems things may have gone," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
The Alaska Department of Health and Social Services, which reported the breach, has a rocky security record. For example, back in 2012, it was fined $1.7 million as part of a HIPAA settlement for a breach reported in 2009 involving the theft of an unencrypted USB drive potentially containing Medicaid beneficiaries' health information (see: Alaska HIPAA Penalty: $1.7 Million).
Last Year's Breach Report
On June 28, 2018, Alaska DHSS reported to the U.S. Department of Health and Human Services' Office for Civil Rights a hacking/IT incident impacting 501 individuals that involved a desktop and email, according to a posting on OCR's HIPAA Breach Reporting Tool website.
"Alaska DHSS has a history of playing fast and loose with their obligations under the HIPAA Breach Notification Rule to accurately report incidents involving breaches."
—David Holtzman, CynergisTek
Commonly called the "wall of shame," the website lists major health data breaches affecting 500 or more individuals.
A statement the Alaska DHSS issued last June noted that the security breach "may have disclosed personal information of individuals who have interacted with Division of Public Assistance in the Northern region."
The statement noted that on April 26, 2018, "a DPA computer in the Northern region was infected with a the Zeus/Zbot Trojan virus, resulting in a potential HIPAA and a Alaska Personal Information Protection Act breach of more than 500 individuals."
Fast forward to this week: Local news media outlet KTVA on Wednesday reported that the Alaska DHSS confirmed it's sending letters to 500,000 to 700,000 current or former participants in the division's programs to notify them of the incident.
"We don't have any reason to believe their information was compromised, but because their information could have been compromised, we had to let them know," Shawnda O'Brien, director of the state's Division of Public Assistance, told KTVA.
New Comments From DHSS
O'Brien tells Information Security Media Group that DHSS began sending out letters on Tuesday, and so far notifications have been mailed to 87,000 households.
Back in June when the breach was first reported, DHSS suspected the incident impacted between 500,000 and 700,000 individuals, she says. But DHSS reported the breach to OCR as affecting only 501 individuals because the department had not confirmed the actual higher figures. "We knew it would be more than 500 individuals," she says. The subsequent further investigation into the breach confirmed for DHSS that the potential impact was the higher figures, she adds.
"The delay in notifying individuals was largely due to the volume of analysis conducted," she says. "The department was able to partner with the FBI to do the forensic analysis of the machine's hard drive to get better detail on what the virus was able to access. It took several months and there were further delays because of the earthquake and staffing changes in the agency. The intent was to get notification out much earlier."
DHSS has security protocols and policy in place to ensure the most up to date virus protection software is deployed to computers, she says. "The nature of this particular virus is what led to this breach. It wouldn't have been something our security software could have prevented, unfortunately. The security office in the department are continuously striving to ensure our devices are protected with the most up to date software. "
OCR did not immediately respond to an ISMG request for comment on the case.
If the actual number affected by the breach reaches 700,000, the Alaska incident would be the fourth largest health data breach reported to federal regulators in 2018, according to the OCR website. Even if the breach only affected 500,000, the incident would still be among the ten largest health data breaches reported in 2018.
The state's statement from last June notes that Alaska's DHSS security team conducted an investigation that revealed the infected computer accessed sites in Russia, had malware installed and exhibited other suspicious computer behavior that provided strong indications of a computer infection.
The breached computer contained documents including information on pregnancy status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, Social Security numbers, driver's license numbers, first and last names, birthdates, phone numbers, and other confidential data, the June statement said.
"Hackers may have used the infected computer to steal data," according to the statement. Upon discovering the hack, the department took immediate action to mitigate further access to the infected computer, the statement added.
"It isn't surprising that they found more in their systems over time, especially if they were getting help with the analysis," says Nahra, the attorney.
"There's always a question of how far you go in your investigation and what you do when you aren't sure about certain things, including whether other individuals had any impact at all. I suspect this is just a difficulty in figuring out what happened and a recognition, even if late, that there was an impact of some kind on this larger audience. It's not a great result, but better to inform later than not at all."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, says: "Alaska DHSS has a history of playing fast and loose with their obligations under the HIPAA Breach Notification Rule to accurately report incidents involving breaches. In addition to the most recent incident, on at least two prior occasions, Alaska DHHS has reported breaches to OCR as affecting 501 individuals when they actually impacted many more."
According to the OCR breach report website, Alaska DHSS reported breaches in September 2017 and October 2009 "that compromised the PHI of exactly 501 people," he notes.
News reports from the time of the 2017 breach described how computers used in a regional DHSS office were infected with malware, as in the incident in April 2018, he says.
An OCR investigation into the 2009 breach, which resulted in the $1.7 million fine, determined that DHSS had not: completed a risk assessment, implemented sufficient risk management measures, completed security training for DHSS workforce members or implemented device and media controls.
As part of the HIPAA settlement with OCR tied to that 2009 breach, Alaska DHSS agreed to a corrective action plan in which the agency was required to "review, revise and maintain policies and procedures to ensure compliance with the HIPAA Security Rule."