Department of Health warns of breach to online death registry

Nina Wu, The Honolulu Star-Advertiser
·3 min read

Mar. 10—The death records contain the decedent's name, Social Security number, address, sex, date of birth, date of death, place of death and cause of death.

The state Department of Health on Thursday warned residents of a security breach of its Electronic Death Registration System earlier this year.

DOH said notification letters regarding the unauthorized access to the system will be sent to surviving spouses and affected persons by the end of this week.

On Jan. 23, Mandiant, a cybersecurity threat intelligence company, notified the Health Department, Office of Enterprise Technology Serv ­ices, and Office of Homeland Security that a medical certifier's account had been compromised and that this certifier's login credentials had been placed for sale on the "dark web, " a marketplace of illegal products and services for cybercriminals.

DOH said it immediately disabled the account and launched an investigation.

It turns out that the compromised account belonged to a medical certifier at a local hospital who no longer worked there as of June 2021 but whose account had not been deactivated, according to DOH. The department said it completed its investigation Feb. 15.

An unauthorized person on Jan. 20 used the account to get into the EDRS, with access to approximately 3, 400 death records, including dates of death from 1998 to 2023. DOH said 90 % of the death records occurred in 2014 or earlier.

The death records contain the decedent's name, Social Security number, address, sex, date of birth, date of death, place of death and cause of death.

DOH says no death records were altered, given that most had been certified, meaning they could not be altered. Only 1 % were not certified, and after a review, DOH determined none were certified by the unauthorized user.

No death certificates were accessed, nor were any able to be generated, DOH said.

Out of an abundance of caution, however, DOH encourages those affected to remain vigilant of breaches to unsettled matters such as accounts, estate, life insurance claim or Social Security survivor benefits.

"In response to this incident, DOH is in the process of implementing additional security measures for EDRS external accounts, " said the department in a news release. "DOH is also conducting a security review of external accounts for all of our systems."

Cybersecurity is a growing concern for government entities and private companies in health care, finance, retail, manufacturing, energy and other sectors.

This month, Chick-fil-A notified customers of a data breach of its mobile app, which compromised customers' information, including names, addresses and the last four digits of credit card numbers.

Chick-fil-A discovered the breach after suspicious login activity to certain accounts and hired a national forensics firm to launch an investigation.

In Hawaii the Aloha Nursing Rehab Centre, a skilled nursing facility in Kaneohe, also experienced a recent data security breach.

The facility in February said an unauthorized party had accessed a limited number of electronic files from its system that included Social Security numbers and medical records.

The facility hired a cybersecurity expert and said there was no evidence of misuse but notified those affected of the breach.

The Hawaii Bankers Association warned Thursday of a rise in phishing scams from criminals posing as financial institutions. Criminals trick customers into disclosing their personal and financial information via email, text messages or phone calls, oftentimes with malicious links to fraudulent websites made to look like banking sites.

"Scammers are becoming increasingly sophisticated and are finding new ways to steal personal information, " said Neal Okabayashi, executive director at Hawaii Bankers Association.

"We ask for everyone's help to remain vigilant and to avoid providing sensitive information in a text message or to someone who contacts you unexpectedly, " he said.

U.S. Sen. Brian Schatz has reintroduced the Data Care Act, which holds websites and apps accountable for protecting data collected from users, and promptly informing them of data breaches involving sensitive information.

According to the Federal Trade Commission, consumers in 2022 lost nearly $8.8 billion to fraud, a more than a 30 % increase over the previous year. The FTC also received fraud reports from 2.4 million people.