3,400 death registry records accessed in Hawaii Department of Health data security breach
We do not see many breach notifications from Hawaii, but KHON made us aware of this reminder to disable access when an external employee terminates employment:
HONOLULU, HI – The Hawai‘i Department of Health (DOH) will send out notification letters regarding unauthorized access to the DOH Electronic Death Registry System (EDRS), by the end of this week. These notifications will be sent to those listed in the system as surviving spouses and/or the person who reported the death to the mortuary.
On January 23, 2023, Mandiant, a cybersecurity threat intelligence company, notified the Office of Enterprise Technology Services (ETS), Office of Homeland Security and DOH that an external medical certifier account of the EDRS was compromised and the login credentials were placed for sale on the dark web (internet marketplace where cybercriminals can transact illegal products and services). Upon being notified, DOH immediately disabled the account and began an investigation.
The DOH completed its investigation February 15, 2023, and found that the compromised account belonged to a medical certifier at a local hospital who had left employment in June 2021, but whose account had not been deactivated. An unauthorized individual used the account to access the EDRS on January 20, 2023, and approximately 3,400 death records may have been viewed. The death records had a date of death ranging from 1998 to 2023, with 90% occurring in 2014 or earlier.
The death records contain the decedent’s name, social security number, address, sex, date of birth, date of death, place of death, and cause of death. Records that had been certified could not be altered, and 99% of the records had been certified. DOH reviewed the 1% of records that had not been certified, and none were certified by the unauthorized user.
No death certificates were accessed, nor were any able to be generated. However, out of an abundance of caution, DOH encourages affected parties to remain vigilant about any remaining unsettled matters such as accounts, estate, life insurance claim or Social Security survivor benefits.
In response to this incident, DOH is in the process of implementing additional security measures for EDRS external accounts. DOH is also conducting a security review of external accounts for all of our systems.