Potential Theft of PHI from Alaska DHSS Due to Zeus Trojan Infection

The Alaska Department of Health and Social Services (ADHSS) is informing ‘over 500’ persons that hackers possibly accessed and stole some of their protected health information (PHI). The ADHSS discovered on April 26 the installation of malware on an employee’s computer after noticing suspicious behavior. Investigation of the incident revealed malware had been installed. The malware was a Zeus/Zbot Trojan variant, a malware used for stealing sensitive data.

The malware was found to have been associated with IP addresses from Russia. It is not clear if the attackers are from Russia or if Russian IP addresses were used. ADHSS hasn’t confirmed if PHI was exfiltrated to those IP addresses, but data access and PHI theft was possible.

With the Health Insurance Portability and Accountability Act, covered entities need to submit data breach reports without delay, not later than 60 days after discovering a breach. AHDSS decided to postpone the sending of breach notifications until just before the deadline to allow the nature and scope of the data breach to be fully investigated.

The computer infected with malware contained a number of files that included the sensitive data of patients from the Northern region of Alaska. Patients impacted by the data breach had had previous dealings with the ADHSS division of Public Assistance (DPA) via the DPA Northern regional offices. The information that the hacker potentially stole consisted of first and last names, telephone numbers, birth dates, status of pregnancy, incarceration status, death status, Medicaid/Medicare billing codes, driver’s license numbers, Social Security numbers, and other confidential data.

ADHSS explained in its breach notice that multiple levels of security were in place to defend against malware infections, but those security measures were not enough in this instance. The ADHSS Information Technology and Security team will continue to investigate the data breach and implement extra defenses to stop similar breaches in the future.