State offers free credit monitoring following data breach

Health department information accessed, state says

Free credit monitoring services will be made available to Alaskans starting Sept. 27, following a cyberattack on the Department of Health and Social Services. Authorities said the attack is believed to have breached databases containing residents’ protected information.

Because of an ongoing criminal investigation, exact details of who’s behind the attack and exactly what information was accessed is not being shared at this time,DHSS Commissioner Adam Crum said Thursday in a news conference. However, DHSS said databases accessed contained information protected under the federal Health Insurance Portability and Accountability Act and the Alaska Personal Information Protection Act. Federal law requires Alaskans be notified their information may have been compromised.

Crum said at the news conference beginning Sept. 27, emails would be sent to Alaskans who’ve submitted Permanent Fund Dividend applications with instructions on how to apply for free credit monitoring. In a statement, the department said that same day a toll-free phone number would set up to help Alaskans with their applications between 5 a.m. and 5 p.m.

“It is a fair statement to say that any Alaskan could have been compromised by this,” Crum said.

[113,000 Alaskan voter IDs exposed in data breach]

DHSS said the breach was conducted by a highly sophisticated, state-sponsored entity and has retained the services of cybersecurity companies FireEye and Mandiant. According to DHSS, FireEye said the attacker was “a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities.”

At several points in the news conference, Crum said he could not answer certain questions about the identity of the attacker, and cited the ongoing criminal investigation. An FAQ provided by DHSS refers to the attacker as “nation-state sponsored.”

Crum did say cybersecurity experts believe the attack is no longer ongoing and that the attacker has been removed from DHSS systems. However, DHSS was forced to shut down its databases and revert to manual input of information, Crum said, which has been very time-consuming for staff.

Some DHSS databases have been restored, but the shutdown has led to large backlogs of requests for various vital records such as birth certificates and marriage certificates.

The breach was originally announced in May when DHSS took many of its systems offline. DHSS is not the only state department to be the victim of a malware attack. Also in May, then-Chief Justice of the Alaska Supreme Court Joel Bolger announced the court was a victim of a cybersecurity attack.

In December 2020, the Alaska Division of Elections announced it had been attacked and that potentially 113,000 Alaskans’ voter information was exposed.

Contact reporter Peter Segall at Follow him on Twitter at @SegallJnuEmpire.