Theft of PHI from Alaska DHSS Possible Caused by Zeus Trojan Infection

The Alaska Department of Health and Social Services (ADHSS) is contacting ‘more than 500’ individuals to inform them that some of their protected health information (PHI) may have been accessed by hackers.

On April 26, the ADHSS found that malware had been placed on an staff member’s computer after suspicious behavior was noticed. The investigation revealed malware had been loaded – a variant of the Zeus/Zbot Trojan – which is known to be used to obtain sensitive data.

The malware was found to have communicated with IP addresses in Russia, although it is not known if the hackers are located in Russia or just using Russian IP addresses. ADHSS has not revealed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a potential outcome.

In line with the Health Insurance Portability and Accountability Act, HIPAA-covered bodies must report data breaches as soon as they reasonably can, but no later than 60 days following the identification of a breach. AHDSS opted to delay the issuing of alerts until just before the deadline to allow investigators to determine the nature and extent of the HIPAA violation.

The infected computer stored a variety of files that included sensitive information of people in the Northern region of Alaska. Patients impacted by the breach had previously had dealings with the ADHSS division of Public Assistance (DPA) through the DPA Northern regional centers.

The sort of data of information possibly stolen include first and last names, phone numbers, dates of birth, pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, Social Security numbers, driver’s license numbers, and other confidential details.

In its official breach notice, ADHSS outlined that it had multiple layers of security in place to prevent malware infections, but in this instance those security measures had been bypassed.

As soon as the virus was discovered the computer was taken offline to eliminate any further data access. The ADHSS Information Technology and Security team is still investigating the breach and will be adapting additional protections to stop further breaches like this.