The Florida Department of Health is working to recover systems that were recently impacted affecting its efficiency in distributing birth and death certificates. A ransomware gang has claimed responsibility, stating it stole a hundred gigabytes of personal data from the state.
The FDOH hasn’t confirmed a cyberattack compromised its system, however, healthcare systems have faced increased targeting from hackers over the last several years, prompting concerns over personal data and slowing operations at the department like the issuing of death certificates.
In a statement, FDOH said that its online Vital Statistics system was going through a temporary outage. The system is responsible for issuing birth and death certificates.
“We are working around the clock to restore the online Vital Statistics system,” said State Surgeon General Dr. Joseph Ladapo. “The majority of Department operations and services remain operational and unchanged.”
Central Florida Public Media reached out to FDOH and asked what caused the temporary outage, but it did not respond.
Attack on healthcare
The FBI has reported a growing trend in which hackers are targeting medical record holders using a tactic known as a ransomware attack which is a type of cyber attack where hackers steal stored information and hold it until victims pay a sum of money. The FBI found an 18% increase in ransomware attacks last year and found that healthcare systems were the most targeted operations.
Hackers are targeting healthcare operations because of the sensitive nature of the data, said Kevin Butler, the director of the Florida Institute for Cybersecurity Research. The penalties for releasing protected patient data are high, giving victims an incentive to pay off the hackers.
“A lot of federal legislation gets involved or regulations like HIPAA, and the like, so I could be out of compliance if my data gets stolen and that data becomes accessible to others,” Butler said. “The consequences of that data exposure are in some ways higher than in other areas. I think ransomware gangs know this.“
Of the 19 documented cyberattacks this year in Florida, 18 of them have been healthcare-related, including the City of Saint Cloud’s healthcare plan and the Moffitt Cancer Center and Research Institute, according to the U.S. Department of Health and Human Services. Of those incidents, over 156,000 individuals were affected.
Last year,a ransomware attack shut down a medical diagnostic imaging firm in South Florida, affecting several other Central Florida locations, as well.
Earlier this year, hackers gained access to a health database of users from across the country and started a ransomware attack that froze large parts of a UnitedHealth Group technology company. A ransom gang was said to be responsible for the attack, according to the Associated Press. The attack happened due to a lack of multifactor authentication.
Butler said that defending against cyberattacks is difficult as the types of attacks change, and can reveal that a system is not as robust as software designers initially thought. The best thing to do as a developer is to create systems that are secure by design, but even that's difficult and not always practical, he said.
“It is challenging to make things perfectly secure,” he said. “The costs and the timelines. You've created, the system, you may not have accounted for changes in technology, and your system may end up being obsolete… People have created extremely robust systems, put them out only to find out that the state of technology has passed them by.”
Rise of Ransom Gangs
Hackers are also coordinating better in groups, Butler said.
According to the FBI, the top five ransomware gangs targeting the U.S.’s health sector are all Russian speaking but aren’t associated with the Russian government. The cybersecurity group HackManac identified “RansomHub” as the group claiming on the dark web to have compromised the FDOH.
Among the FDOH’s systems that have been affected include its electronic death registration system, according to Services Cooperation International, which manages Central Florida’s Baldwin Fairchild Funeral homes. Receiving death certificates was affected, but funeral homes have been able to receive them through manual methods, said Gisselle Madrigal, a SCI spokesperson.
“State officials, local counties, and medical examiner offices are in accordance with the temporary solution while Florida's electronic death registration system has been offline,” SCI said in a statement. “
Florida does not legally require a death certificate in order for burial service to take place, but according to SCI, “cremation approval may see a slight delay.”
What should residents do?
It remains unclear how much of FDOH’s records have been impacted. If FDOH's records were compromised, Butler advises residents to monitor their financial and credit records for any unusual activity. Using a name and a social security number, someone with access to the stolen records could open a credit card or a loan in a victim’s name, Butler said.
“Putting a freeze on your credit record, and then talking to a credit bureau is one of the most important things that you can do in the presence of a data breach, as well as changing your passwords,” he said.
Copyright 2024 Central Florida Public Media