Theft of PHI from Alaska DHSS Possible Caused by Zeus Trojan Infection

by | Jul 5, 2018

The Alaska Department of Health and Social Services (ADHSS) is contacting ‘more than 500’ individuals to inform them that some of their protected health information (PHI) may have been accessed by hackers.

On April 26, the ADHSS found that malware had been placed on an staff member’s computer after suspicious behavior was noticed. The investigation revealed malware had been loaded – a variant of the Zeus/Zbot Trojan – which is known to be used to obtain sensitive data.

The malware was found to have communicated with IP addresses in Russia, although it is not known if the hackers are located in Russia or just using Russian IP addresses. ADHSS has not revealed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a potential outcome.

In line with the Health Insurance Portability and Accountability Act, HIPAA-covered bodies must report data breaches as soon as they reasonably can, but no later than 60 days following the identification of a breach. AHDSS opted to delay the issuing of alerts until just before the deadline to allow investigators to determine the nature and extent of the HIPAA violation.

The infected computer stored a variety of files that included sensitive information of people in the Northern region of Alaska. Patients impacted by the breach had previously had dealings with the ADHSS division of Public Assistance (DPA) through the DPA Northern regional centers.

The sort of data of information possibly stolen include first and last names, phone numbers, dates of birth, pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, Social Security numbers, driver’s license numbers, and other confidential details.

In its official breach notice, ADHSS outlined that it had multiple layers of security in place to prevent malware infections, but in this instance those security measures had been bypassed.

As soon as the virus was discovered the computer was taken offline to eliminate any further data access. The ADHSS Information Technology and Security team is still investigating the breach and will be adapting additional protections to stop further breaches like this.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy