Cyber Incident Victim: Hawaii Department of Health

On January 23, 2023, the Hawaii Department of Health (DOH) was notified by cybersecurity firm Mandiant that credentials for an external medical death certifier account linked to the state’s Electronic Death Registry System (EDRS) had been sold on the dark web. The department immediately disabled the compromised account, which belonged to a former employee of a local hospital who had left their position in June 2021 but whose access had not been revoked. An investigation conducted between January and February 2023 determined that an unauthorized actor had used the credentials to access approximately 3,400 death records spanning from 1998 to 2023, with 90% of the records dating to 2014 or earlier. The accessed death records contained sensitive personal information, including decedents’ names, Social Security numbers, addresses, sex, dates of birth and death, place of death, and cause of death. Death certificates—distinct from death records and required for legal and financial settlements—were not accessed or altered.

The DOH confirmed that 99% of the compromised records had already been certified and could not be modified, while the remaining 1% of uncertified records showed no evidence of unauthorized certification. Forensic analysis traced the intrusion to two IP addresses located in Kentucky and the Netherlands. The department initiated breach notifications to individuals listed in EDRS as surviving spouses or those who reported deaths to mortuaries, advising vigilance regarding unsettled matters such as estate accounts, insurance claims, or Social Security survivor benefits. As a corrective measure, the DOH announced plans to implement additional security controls for all external EDRS accounts and began reviewing existing external account access. No further unauthorized activity was detected after the initial account deactivation on January 23.