Death registry system in Hawaii had data breach, health department says
Hawaii’s Department of Health says it is sending out breach notification letters after a cyberattack in January gave hackers limited access to the state’s death registry.
Officials warned Friday that although death certificates were not accessed, people who recently had a death in the family should “remain vigilant about any remaining unsettled matters such as accounts, estate, life insurance claim or Social Security survivor benefits.”
The department said it first heard about the attack on January 23, when cybersecurity firm Mandiant notified several state agencies that the credentials for an external medical death certifier account connected to the state Electronic Death Registry System (EDRS) had been sold on the dark web.
Although the department immediately disabled the external account, an investigation finished in February found that a hacker accessed approximately 3,400 death records. Those documents had a date of death ranging from 1998 to 2023, with 90% occurring in 2014 or earlier, according to the department.
Death certificates — which are required for settling financial and legal matters — are generated separately from death records, the department said.
“The death records contain the decedent’s name, social security number, address, sex, date of birth, date of death, place of death, and cause of death. Records that had been certified could not be altered, and 99% of the records had been certified,” officials said.
“DOH reviewed the 1% of records that had not been certified, and none were certified by the unauthorized user.”
Breach notification letters will be sent to anyone listed in the EDRS system as a surviving spouse or person who reported the death to the mortuary.
The compromised account belonged to a medical certifier who worked for a local hospital but left the job in June 2021. The person’s account had not been deactivated afterward.
State officials said they plan to add more security measures for all external accounts connected to EDRS. They are in the process of reviewing all current external accounts.
The department did not respond to requests for comment but told Hawaii Public Radio that the investigation revealed that two IP addresses accessed the system: one in Kentucky and one in the Netherlands.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.