A cyber security breach temporarily halted cancer radiation treatment services at The Cancer Center of Hawaii on Oahu, the center acknowledged today.

The company, which conducts radiation treatment for cancer patients at two locations — Pali Momi Medical Center and St. Francis’ hospital campus in Liliha — confirmed Tuesday it experienced a computer network hack on Nov. 5. In response, the company shut down its network servers which temporarily kept them from being able to offer radiation services to cancer patients.

“We launched an investigation and determined that there was an outside attempt made to encrypt the data on our computers which temporarily disabled our network and our ability to deliver radiation treatments,” said Carolyn Voulgaridis, executive director of The Cancer Center of Hawaii. “While the forensic investigation is ongoing, at this time, there is no indication that patient or employee data was breached, accessed, or released.”

St. Francis Healthcare System of Hawaii located on Liliha Street.

The Cancer Center of Hawaii operates one of its two radiation treatment clinics at the St. Francis Healthcare System of Hawaii on Liliha Street. The company was recently a victim of a cyber security attack.

Cory Lum/Civil Beat

Voulgaridis said the company has reported the incident to the FBI and is working with a private computer forensics firm to investigate.

The company was able to “retrieve all essential patient treatment information from our radiation machines and restore our network to full operation,” she said, but would not say how long the system was disabled or how long radiation treatment was suspended.

Voulgaridis declined to answer other questions about the security breach and what kind of patient information could have been compromised.

The Cancer Center of Hawaii is a private for-profit company that offers radiotherapy and brachytherapy at the Hawaii Pacific Health Cancer Center at Pali Momi Medical Center and the St. Francis Health Care System of Hawaii. It leases space from both hospital campuses and on its website calls itself “the only free-standing radiation cancer treatment center.”

Hawaii Pacific Health Cancer Center entrance.

Hawaii Pacific Health Cancer Center refers patients to The Cancer Center of Hawaii for radiation therapy.

Cory Lum/Civil Beat

Hawaii Pacific Health spokeswoman Kristen Bonilla said the health system’s networks are “isolated” and that none of its patient data was compromised.

“We go through audits and vulnerability scans to make sure our cyber security posture is appropriate,” she said of the Hawaii Pacific Health network system.

St. Francis Health Care System of Hawaii did not immediately respond to a request for an interview.

Cyber security and ransomware attacks have become increasingly common against medical providers.

In 2018, the Fetal Diagnostic Institute of the Pacific in Honolulu notified nearly 41,000 patients about a potential data breach after a ransomware attack. A security firm was able to remove malicious software and restore the company’s data, but found hackers had gained access to patient names, birth dates, home addresses, account numbers, diagnoses and other information.

Pali Momi health center.

The Cancer Center of Hawaii leases space at Pali Momi to offer radiation therapy for cancer patients and was temporarily unable to provide therapy after a cyber hacking attempt.

Cory Lum/Civil Beat

In 2016, the Hawaii Medical Service Association experienced a data breach caused by unauthorized access or disclosure of documents. The breach affected approximately 10,000 people.

The Hawaii Department of Health’s Adult Mental Health Division fell victim to a hacking IT incident on a desktop computer that affected 674 people in 2012.

An investigation by ProPublica and German public broadcaster Bayerischer Rundfunk found that medical data belonging to millions of Americans are insecure and easily accessed by “anyone with a web browser or few lines of computer code.”

Tony Dow, a cyber security expert and senior manager of security operations for Hawaiian Telcom, said the way the Cancer Center of Hawaii described the attack makes it appear to be ransomware.

“Ransomware is malware that gets in a company’s network, and its goal is to encrypt data, with the company up for paying a ransom to get access back to their data,” he said. “Sometimes this could bring down systems, like the availability of systems, but it could also encrypt critical information or patient data that doctors might want to access as well.”

Ransomware attacks can launch via corrupt email links or remotely through the internet. Ransomware rarely targets specific victims, he said. Hackers usually cast a wide net. But the health care industry is particularly susceptible and vulnerable.

“A health care company may be more liable to pay the ransom because of the criticality of those systems,” he said. “There are lives on the line.”

A message to our readers . . .

It’s a critical time for our community as we all try to navigate unprecedented disruptions to our daily lives.
 
We want you to know that our nonprofit newsroom’s team of reporters, editors and support staff are committed to providing you with accurate and in-depth information on Hawaii’s important issues, including developments on how our island state is coping with this global pandemic.
 
Help ensure that our newsroom remains strong during this period when fact-based, trustworthy information is more important than ever. Please consider supporting Civil Beat by making a tax-deductible gift.

About the Author