Hawaii’s Department of Health has announced a data breach in its Electronic Death Registry System (EDRS) after hackers accessed approximately 3,400 death records from 1998 to 2023.
The department immediately disabled the external medical death certifier account connected to the EDRS after cybersecurity firm Mandiant notified them on January 23 that the account’s credentials had been sold on the dark web.
The compromised account belonged to a medical certifier who worked for a local hospital but left the job in June 2021, and the person’s account had not been deactivated afterward.
Although death certificates were not accessed, officials warned surviving family members to remain vigilant about any remaining unsettled matters, such as accounts, estate, life insurance claim, or Social Security survivor benefits.
Death certificates are required for settling financial and legal matters, and the death records contain the decedent’s personal information, including name, social security number, address, sex, date of birth, date of death, place of death, and cause of death.
However, 99% of the accessed records had already been certified, meaning they could not be altered.
The department plans to review all current external accounts and add more security measures for all external accounts connected to the EDRS.
The compromised account’s credentials were sold on the dark web, emphasizing the importance of practicing good cybersecurity hygiene, such as using strong passwords, changing passwords regularly, and deactivating accounts when no longer in use.