- Special Projects
A cyber security breach temporarily halted cancer radiation treatment services at The Cancer Center of Hawaii on Oahu, the center acknowledged today.
The company, which conducts radiation treatment for cancer patients at two locations — Pali Momi Medical Center and St. Francis’ hospital campus in Liliha — confirmed Tuesday it experienced a computer network hack on Nov. 5. In response, the company shut down its network servers which temporarily kept them from being able to offer radiation services to cancer patients.
“We launched an investigation and determined that there was an outside attempt made to encrypt the data on our computers which temporarily disabled our network and our ability to deliver radiation treatments,” said Carolyn Voulgaridis, executive director of The Cancer Center of Hawaii. “While the forensic investigation is ongoing, at this time, there is no indication that patient or employee data was breached, accessed, or released.”
Voulgaridis said the company has reported the incident to the FBI and is working with a private computer forensics firm to investigate.
The company was able to “retrieve all essential patient treatment information from our radiation machines and restore our network to full operation,” she said, but would not say how long the system was disabled or how long radiation treatment was suspended.
Voulgaridis declined to answer other questions about the security breach and what kind of patient information could have been compromised.
The Cancer Center of Hawaii is a private for-profit company that offers radiotherapy and brachytherapy at the Hawaii Pacific Health Cancer Center at Pali Momi Medical Center and the St. Francis Health Care System of Hawaii. It leases space from both hospital campuses and on its website calls itself “the only free-standing radiation cancer treatment center.”
Hawaii Pacific Health spokeswoman Kristen Bonilla said the health system’s networks are “isolated” and that none of its patient data was compromised.
“We go through audits and vulnerability scans to make sure our cyber security posture is appropriate,” she said of the Hawaii Pacific Health network system.
St. Francis Health Care System of Hawaii did not immediately respond to a request for an interview.
Cyber security and ransomware attacks have become increasingly common against medical providers.
In 2018, the Fetal Diagnostic Institute of the Pacific in Honolulu notified nearly 41,000 patients about a potential data breach after a ransomware attack. A security firm was able to remove malicious software and restore the company’s data, but found hackers had gained access to patient names, birth dates, home addresses, account numbers, diagnoses and other information.
In 2016, the Hawaii Medical Service Association experienced a data breach caused by unauthorized access or disclosure of documents. The breach affected approximately 10,000 people.
The Hawaii Department of Health’s Adult Mental Health Division fell victim to a hacking IT incident on a desktop computer that affected 674 people in 2012.
An investigation by ProPublica and German public broadcaster Bayerischer Rundfunk found that medical data belonging to millions of Americans are insecure and easily accessed by “anyone with a web browser or few lines of computer code.”
Tony Dow, a cyber security expert and senior manager of security operations for Hawaiian Telcom, said the way the Cancer Center of Hawaii described the attack makes it appear to be ransomware.
“Ransomware is malware that gets in a company’s network, and its goal is to encrypt data, with the company up for paying a ransom to get access back to their data,” he said. “Sometimes this could bring down systems, like the availability of systems, but it could also encrypt critical information or patient data that doctors might want to access as well.”
Ransomware attacks can launch via corrupt email links or remotely through the internet. Ransomware rarely targets specific victims, he said. Hackers usually cast a wide net. But the health care industry is particularly susceptible and vulnerable.
“A health care company may be more liable to pay the ransom because of the criticality of those systems,” he said. “There are lives on the line.”
Studies have shown that when local journalism disappears, government financing costs go up, fewer people run for public office, elected officials become less responsive to their constituents, and voter turnout decreases. Our small nonprofit newsroom works hard every day to present local news in a deep and transparent way, without fear or favor. We also rely on donations from readers like you to keep us afloat. The more support we receive; the stronger, more sustainable our journalism becomes; the more accountable we are to you. Please consider supporting our Honolulu Civil Beat with a tax-deductible gift.