The The Hawaii Department of health has stated that it will be dispatching breach notification letters following a cyberattack that occurred in January. The attack granted hackers limited access to the state’s death registry. Officials have cautioned that while death certificates were not accessed, individuals who have experienced a recent death in their family should remain alert regarding any unresolved issues such as accounts, estates, life insurance claims, or Social Security survivor benefits.
The department was alerted to the attack on January 23rd by cybersecurity company Mandiant, which informed multiple state agencies that the login credentials for an external medical death certifier account linked to the Electronic Death Registry System (EDRS) had been sold on the dark web.
In February, the department conducted an investigation that revealed a hacker had accessed approximately 3,400 deaths after the external account was disabled. The report spanned from 1998 to 2023, with 90% occurring in 2014 or earlier.
The deaths contained essential information about the deceased, such as their name, social security number, address, sex, date of birth, date of death, place of death, and cause of death. However, certified reports were unalterable, and 99% of the reports had been certified.
State officials plan to send breach notification letters to individuals who are reported in the EDRS system as either a surviving spouse or the person who reported the death to the mortuary. The medical certifier who owned the compromised account was employed at a local hospital but left the job in June 2021. Despite their departure, the account remained active.
To improve security, state officials intend to introduce additional measures for all external accounts that are linked to EDRS. They are currently assessing all existing external accounts.
Story credit
