Hawaii Announces Security Breach of Death Registry System

The state Department of Health announced that unauthorized access to approximately 3,400 death records occurred on Jan. 20. The agency says that no death certificates were accessed or generated.

March 10, 2023 •

Nina Wu, The Honolulu Star-Advertiser

(TNS) — The Hawaii Department of Health today announced there has been a security breach of its Electronic Death Registry System.

Notification letters regarding the unauthorized access to the system will be sent to surviving spouses and affected persons by the end of this week, DOH said.

Mandiant, a cybersecurity threat intelligence company, on Jan. 23 notified the Health Department, Office of Enterprise Technology Services, and Office of Homeland Security that an external medical certifier account had been compromised.

This certifier's login credentials were placed for sale on the "dark web," a marketplace of illegal products and services for cybercriminals.

Upon notification, DOH immediately disabled the account and launched an investigation, which was completed on Feb. 15.

The investigation found the compromised account belonged to a medical certifier at a local hospital who no longer worked there in June 2021, but whose account had not been deactivated.

An unauthorized individual on Jan. 20 used the account to access the EDRS, with access to approximately 3,400 death records, including dates of death from 1998 to 2023. The majority of the death records, 90 percent, occurred in 2014 or earlier.

The death records contain the decedent's name, social security number, address, sex, date of birth, date of death, place of death and cause of death.

All but 1 percent of the records had been certified, which means they could not be altered. DOH reviewed the 1 percent that were not certified and determined none were certified by the unauthorized user.

No death certificates were accessed, nor were any able to be generated, DOH said.

Out of an abundance of caution, however, DOH encourages those affected to remain vigilant of breaches to unsettled matters such as accounts, estate, life insurance claim or Social Security survivor benefits.

"In response to this incident, DOH is in the process of implementing additional security measures for EDRS external accounts," said the department in a news release. "DOH is also conducting a security review of external accounts for all of our systems."

(c)2023 The Honolulu Star-Advertiser. Distributed by Tribune Content Agency, LLC.