The Florida Department of Health is working to recover systems that affect its efficiency in distributing birth and death certificates.
The outages came after ransomware gang claimed it hacked into the network and stole 100 gigabytes of personal data. The department hasn't confirmed the cyberattack but said its Vital Statistics system was going through a temporary outage.
According to reports, the hackers threatened to release health department data on the dark web if the state did not pay an unspecified amount of money by last Friday. Florida law prohibits state and local governments from paying ransom for cyberattacks.
Health care systems have faced increased targeting from hackers in recent years, prompting concerns over personal data and slowing operations at the department like the issuing of death certificates.
The Vital Statistics system is responsible for issuing birth and death certificates.
“We are working around the clock to restore the online Vital Statistics system,” said State Surgeon General Dr. Joseph Ladapo. “The majority of department operations and services remain operational and unchanged.”
Central Florida Public Media reached out to the agency and asked what caused the temporary outage but received no response.
Attack on health care
The FBI has reported a growing trend in which hackers are targeting medical record-holders using a tactic known as a ransomware attack, in which hackers steal stored information and hold it until victims pay a sum of money. The FBI found an 18% increase in ransomware attacks last year and found that health care systems were the most targeted operations.
Hackers are targeting health care operations because of the sensitive nature of the data, said Kevin Butler, the director of the Florida Institute for Cybersecurity Research. The penalties for releasing protected patient data are high, giving victims an incentive to pay off the hackers.
“A lot of federal legislation gets involved or regulations like HIPAA, and the like, so I could be out of compliance if my data gets stolen and that data becomes accessible to others,” Butler said. “The consequences of that data exposure are in some ways higher than in other areas. I think ransomware gangs know this.“
HIPAA, or the Health Insurance Portability and Accountability Act, is a 1996 federal law designed to protect patients' personal and medical information.
Of the 19 documented cyberattacks this year in Florida, 18 have been health care-related, including the city of Saint Cloud’s health care plan and the Moffitt Cancer Center in Tampa, according to the U.S. Department of Health and Human Services. Of those incidents, over 156,000 individuals were affected.
Last year, a ransomware attack shut down a medical diagnostic imaging firm in South Florida, affecting several other Florida locations, as well.
This year, hackers gained access to a health database of users from across the country during a ransomware attack that froze large parts of a UnitedHealth Group technology company. A ransom gang was said to be responsible for the attack. The attack happened due to a lack of multifactor authentication, UnitedHealth's CEO told Congress.
“Putting a freeze on your credit record, and then talking to a credit bureau is one of the most important things that you can do in the presence of a data breach, as well as changing your passwords.”Kevin Butler
Butler said that defending against cyberattacks is difficult as the types of attacks change, and can reveal that a system is not as robust as software designers initially thought. The best thing to do as a developer is to create systems that are secure by design, but even that's difficult and not always practical, he said.
“It is challenging to make things perfectly secure,” he said. “The costs and the timelines. You've created, the system, you may not have accounted for changes in technology, and your system may end up being obsolete. … People have created extremely robust systems, put them out only to find out that the state of technology has passed them by.”
Rise of ransom gangs
Hackers are also coordinating better in groups, Butler said.
According to the FBI, the top five ransomware gangs targeting the U.S. health sector are all Russian speaking but aren’t associated with the Russian government. The cybersecurity group HackManac identified “RansomHub” as the group claiming on the dark web to have compromised the Florida health department.
Among the health department's systems that have been affected include its electronic death registration system, according to Services Cooperation International, which manages Central Florida’s Baldwin Fairchild Funeral homes. Receiving death certificates was affected, but funeral homes have been able to receive them through manual methods, said Gisselle Madrigal, a SCI spokesperson.
“State officials, local counties, and medical examiner offices are in accordance with the temporary solution while Florida's electronic death registration system has been offline,” SCI said in a statement. “
Florida does not legally require a death certificate for a burial service to take place, but according to SCI, “cremation approval may see a slight delay.”
What should residents do?
It remains unclear how much of state records have been impacted. If their information was compromised, Butler advises residents to monitor their financial and credit records for any unusual activity. Using a name and a Social Security number, someone with access to the stolen records could open a credit card or a loan in a victim’s name, Butler said.
“Putting a freeze on your credit record, and then talking to a credit bureau is one of the most important things that you can do in the presence of a data breach, as well as changing your passwords,” he said.
Copyright 2024 Central Florida Public Media
