A cyber security breach temporarily halted cancer radiation treatment services at The Cancer Center of Hawaii on Oahu, the center acknowledged today.
The company, which conducts radiation treatment for cancer patients at two locations — Pali Momi Medical Center and St. Francis’ hospital campus in Liliha — confirmed Tuesday it experienced a computer network hack on Nov. 5. In response, the company shut down its network servers which temporarily kept them from being able to offer radiation services to cancer patients.
“We launched an investigation and determined that there was an outside attempt made to encrypt the data on our computers which temporarily disabled our network and our ability to deliver radiation treatments,” said Carolyn Voulgaridis, executive director of The Cancer Center of Hawaii. “While the forensic investigation is ongoing, at this time, there is no indication that patient or employee data was breached, accessed, or released.”
Voulgaridis said the company has reported the incident to the FBI and is working with a private computer forensics firm to investigate.
The company was able to “retrieve all essential patient treatment information from our radiation machines and restore our network to full operation,” she said, but would not say how long the system was disabled or how long radiation treatment was suspended.
Voulgaridis declined to answer other questions about the security breach and what kind of patient information could have been compromised.
The Cancer Center of Hawaii is a private for-profit company that offers radiotherapy and brachytherapy at the Hawaii Pacific Health Cancer Center at Pali Momi Medical Center and the St. Francis Health Care System of Hawaii. It leases space from both hospital campuses and on its website calls itself “the only free-standing radiation cancer treatment center.”
Hawaii Pacific Health spokeswoman Kristen Bonilla said the health system’s networks are “isolated” and that none of its patient data was compromised.
“We go through audits and vulnerability scans to make sure our cyber security posture is appropriate,” she said of the Hawaii Pacific Health network system.
St. Francis Health Care System of Hawaii did not immediately respond to a request for an interview.
Cyber security and ransomware attacks have become increasingly common against medical providers.
In 2018, the Fetal Diagnostic Institute of the Pacific in Honolulu notified nearly 41,000 patients about a potential data breach after a ransomware attack. A security firm was able to remove malicious software and restore the company’s data, but found hackers had gained access to patient names, birth dates, home addresses, account numbers, diagnoses and other information.
Tony Dow, a cyber security expert and senior manager of security operations for Hawaiian Telcom, said the way the Cancer Center of Hawaii described the attack makes it appear to be ransomware.
“Ransomware is malware that gets in a company’s network, and its goal is to encrypt data, with the company up for paying a ransom to get access back to their data,” he said. “Sometimes this could bring down systems, like the availability of systems, but it could also encrypt critical information or patient data that doctors might want to access as well.”
Ransomware attacks can launch via corrupt email links or remotely through the internet. Ransomware rarely targets specific victims, he said. Hackers usually cast a wide net. But the health care industry is particularly susceptible and vulnerable.
“A health care company may be more liable to pay the ransom because of the criticality of those systems,” he said. “There are lives on the line.”
Sign up for our FREE morning newsletter and face each day more informed.
Quality journalism takes time.
A story that takes fives minutes to read often takes days to report.
Quality journalism takes time and resources to produce, but with support from readers like you, Civil Beat can investigate issues and publish stories that are otherwise difficult to fund.