Hawaii Health Department warns of breach to death registry

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

The Hawaii Department of Health today announced there has been a security breach of its Electronic Death Registry System.

Notification letters regarding the unauthorized access to the system will be sent to surviving spouses and affected persons by the end of this week, DOH said.

Mandiant, a cybersecurity threat intelligence company, on Jan. 23 notified the Health Department, Office of Enterprise Technology Services, and Office of Homeland Security that an external medical certifier account had been compromised.

This certifier’s login credentials were placed for sale on the “dark web,” a marketplace of illegal products and services for cybercriminals.

Upon notification, DOH immediately disabled the account and launched an investigation, which was completed on Feb. 15.

The investigation found the compromised account belonged to a medical certifier at a local hospital who no longer worked there in June 2021, but whose account had not been deactivated.

Don't miss out on what's happening!

Stay in touch with breaking news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

An unauthorized individual on Jan. 20 used the account to access the EDRS, with access to approximately 3,400 death records, including dates of death from 1998 to 2023. The majority of the death records, 90%, occurred in 2014 or earlier.

The death records contain the decedent’s name, social security number, address, sex, date of birth, date of death, place of death and cause of death.

All but 1% of the records had been certified, which means they could not be altered. DOH reviewed the 1% that were not certified and determined none were certified by the unauthorized user.

No death certificates were accessed, nor were any able to be generated, DOH said.

Out of an abundance of caution, however, DOH encourages those affected to remain vigilant of breaches to unsettled matters such as accounts, estate, life insurance claim or Social Security survivor benefits.

“In response to this incident, DOH is in the process of implementing additional security measures for EDRS external accounts,” said the department in a news release. “DOH is also conducting a security review of external accounts for all of our systems.”