A cyber security breach temporarily halted cancer radiation treatment services at The Cancer Center of Hawaii on Oahu, the center acknowledged today.

The company, which conducts radiation treatment for cancer patients at two locations — Pali Momi Medical Center and St. Francis’ hospital campus in Liliha — confirmed Tuesday it experienced a computer network hack on Nov. 5. In response, the company shut down its network servers which temporarily kept them from being able to offer radiation services to cancer patients.

“We launched an investigation and determined that there was an outside attempt made to encrypt the data on our computers which temporarily disabled our network and our ability to deliver radiation treatments,” said Carolyn Voulgaridis, executive director of The Cancer Center of Hawaii. “While the forensic investigation is ongoing, at this time, there is no indication that patient or employee data was breached, accessed, or released.”

St. Francis Healthcare System of Hawaii located on Liliha Street.

The Cancer Center of Hawaii operates one of its two radiation treatment clinics at the St. Francis Healthcare System of Hawaii on Liliha Street. The company was recently a victim of a cyber security attack.

Cory Lum/Civil Beat

Voulgaridis said the company has reported the incident to the FBI and is working with a private computer forensics firm to investigate.

The company was able to “retrieve all essential patient treatment information from our radiation machines and restore our network to full operation,” she said, but would not say how long the system was disabled or how long radiation treatment was suspended.

Voulgaridis declined to answer other questions about the security breach and what kind of patient information could have been compromised.

The Cancer Center of Hawaii is a private for-profit company that offers radiotherapy and brachytherapy at the Hawaii Pacific Health Cancer Center at Pali Momi Medical Center and the St. Francis Health Care System of Hawaii. It leases space from both hospital campuses and on its website calls itself “the only free-standing radiation cancer treatment center.”

Hawaii Pacific Health Cancer Center entrance.

Hawaii Pacific Health Cancer Center refers patients to The Cancer Center of Hawaii for radiation therapy.

Cory Lum/Civil Beat

Hawaii Pacific Health spokeswoman Kristen Bonilla said the health system’s networks are “isolated” and that none of its patient data was compromised.

“We go through audits and vulnerability scans to make sure our cyber security posture is appropriate,” she said of the Hawaii Pacific Health network system.

St. Francis Health Care System of Hawaii did not immediately respond to a request for an interview.

Cyber security and ransomware attacks have become increasingly common against medical providers.

In 2018, the Fetal Diagnostic Institute of the Pacific in Honolulu notified nearly 41,000 patients about a potential data breach after a ransomware attack. A security firm was able to remove malicious software and restore the company’s data, but found hackers had gained access to patient names, birth dates, home addresses, account numbers, diagnoses and other information.

Pali Momi health center.

The Cancer Center of Hawaii leases space at Pali Momi to offer radiation therapy for cancer patients and was temporarily unable to provide therapy after a cyber hacking attempt.

Cory Lum/Civil Beat

In 2016, the Hawaii Medical Service Association experienced a data breach caused by unauthorized access or disclosure of documents. The breach affected approximately 10,000 people.

The Hawaii Department of Health’s Adult Mental Health Division fell victim to a hacking IT incident on a desktop computer that affected 674 people in 2012.

An investigation by ProPublica and German public broadcaster Bayerischer Rundfunk found that medical data belonging to millions of Americans are insecure and easily accessed by “anyone with a web browser or few lines of computer code.”

Tony Dow, a cyber security expert and senior manager of security operations for Hawaiian Telcom, said the way the Cancer Center of Hawaii described the attack makes it appear to be ransomware.

“Ransomware is malware that gets in a company’s network, and its goal is to encrypt data, with the company up for paying a ransom to get access back to their data,” he said. “Sometimes this could bring down systems, like the availability of systems, but it could also encrypt critical information or patient data that doctors might want to access as well.”

Ransomware attacks can launch via corrupt email links or remotely through the internet. Ransomware rarely targets specific victims, he said. Hackers usually cast a wide net. But the health care industry is particularly susceptible and vulnerable.

“A health care company may be more liable to pay the ransom because of the criticality of those systems,” he said. “There are lives on the line.”

We need your help . . .

Our small newsroom believes wholeheartedly that news and information is a public service – not something to be hidden behind paywalls or diluted by ads. Your donations ensure that our reporting remains free and accessible to all communities, regardless of a person’s ability to pay. For a limited time become a Civil Beat donor and we’ll throw in a limited-edition Civil Beat t-shirt!

About the Author