Security Firm COO Charged in Attack on Medical CenterExperts Say Odd Case Offers Forewarning to Others
The chief operating officer of a network security firm serving the healthcare sector has been charged by federal prosecutors with alleged crimes stemming from a cyberattack on an Atlanta, Georgia-area medical center in 2018. Some experts say the unusual case offers forewarnings to others.
The Department of Justice in a statement Thursday said Vikas Singla, the COO of a metro-Atlanta network security company that served the healthcare industry, allegedly conducted a cyberattack in 2018 on Gwinnett Medical Center. The medical center has since been renamed Northside Hospital System, operating several hospitals, including Northside Hospital-Gwinnett.
Singla was charged in a Georgia federal court Thursday with 17 counts of intentional damage to a protected computer, each of which carries a maximum penalty of 10 years’ imprisonment; and one count of obtaining information by computer from a protected computer, which carries a maximum penalty of five years’ imprisonment, the Justice Department says.
Singla, who pleaded not guilty to the charges, was released on bond. A trial date has not yet been set by the court.
Court documents and prosecutors did not publicly identify Singla's firm or his relationship with the medical center – if any – at the time of the alleged incident.
But Singla's LinkedIn profile identifies him as COO of Atlanta-based Securolytics.
Information Security Media Group reached Singla directly by phone at Securolytics on Friday, but he declined immediate comment on the case, including clarification about his relationship to the former Gwinnett Medical Center.
A Justice Department spokesman also declined ISMG's request for comment about the case, including whether others also might be charged in the incident.
Medical Center Statement
Northside Hospital System, in a statement to ISMG, says: "We are pleased with this result, and thank the many individuals and organizations which have worked so hard on our behalf."
A hospital spokeswoman did not immediately respond to ISMG's request for additional details about the cyber incident, including clarification about the relationship between the former Gwinnett Medical Center and Singla.
Prosecutors in court documents allege that on Sept. 27, 2018, Singla conducted a cyberattack on Gwinnett Medical Center that involved disrupting its Ascom phone service, obtaining information from a Hologic R2 digitizing device, and disrupting a Lexmark network printer services, in part for "commercial advantage and private financial gain."
Indictment documents also allege that Singla was "aided and abetted by others unknown" to the grand jury assigned to the case.
Prosecutors in court papers allege Singla "knowingly caused and attempted to cause the transmission of a program ... and, as a result … intentionally caused and attempted to cause damage without authorization to a protected computer - that is, one or more computers used by Gwinnett Medical Center that operated the Duluth, Georgia, hospital's Ascom phone system."
The offense caused – "and would have caused, if completed" – the modification and impairment of medical examination, diagnosis, treatment and care of one or more individuals; and damage affecting at least 10 protected computers, court paper allege.
“This cyberattack on a hospital not only could have had disastrous consequences, but patients' personal information was also compromised,” Chris Hacker, special agent in charge of the FBI’s Atlanta field office, said in the Justice Department statement.
“The FBI and our law enforcement partners are determined to hold accountable, those who allegedly put people’s health and safety at risk while driven by greed.”
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals does not show any breach reports filed by Gwinnett Medical Center.
While prosecutors and court documents are mum so far on the nature of the prior relationship – if any - between Singla and Gwinnett Medical Center, such as whether Singla's firm worked with the hospital or if the parties were involved in a business dispute - some experts say the case offers forewarnings to others.
"This case certainly is unusual but it is not unheard of," says attorney Michael Borgia, a partner at the law firm Davis Wright Tremaine, who is not involved in the Singla case.
"I’ve handled a few matters where attacks were perpetrated by disgruntled employees, vendors or others," he says. "In some of those cases the attacker worked hard to make the attack look like it was coming from external hackers by routing traffic through foreign countries or impersonating hacking gangs in communications," he says.
The case against Singla involving the medical center "is a good reminder that while ransomware gangs are getting most of the attention right now, they are far from the only threat," Borgia notes.
"Healthcare organizations need to take a comprehensive view of their cyber risks and address threats from ransomware to careless or even hostile employees or service providers."
William Moran, an investigative and crisis management attorney at law firm Otterbourg, which is not involved in the Singla case, says the compromise of a healthcare provider’s computer system by an individual who has a legitimate relationship with the organization is not unusual, although such cases can become complicated.
For instance, Moran notes that his firm recently represented a provider in a case, whereby patient data was accessed and unlawfully taken with the intention of use separate and apart from the healthcare provider.
"In our recent case, we promptly brought the U.S. Secret Service in to review the case, and while it determined that criminal charges would not be pursued because it was determined the perpetrator likely had authority in the first instance to access the data, the perpetrator agreed to destroy the data that was unlawfully taken but not yet used," he says.
The allegations against Singla in the medical center cyberattack also highlight potential risks involving vendors, Borgia notes.
"Vendors can create huge cyber risk for companies, especially where they have privileged access. Cybersecurity and IT vendors can pose a particularly high level of risk given the access they often need to a network and their role," he says.
Security and IT vendors "typically are the ones who are supposed to be finding and stopping cyberthreats," Borgia adds.
Organizations need to review and audit their service providers’ access to and activities on the network periodically, he says. "A service provider shouldn’t both have privileged network access and be solely responsible for monitoring that access."
Nonetheless, the circumstances of the alleged cyberattack on Gwinnett Medical Center by Singla makes the case appear "very odd," says privacy attorney Kirk Nahra of the law firm WilmerHale, which is not involved in the Singla case.
"There have been some situations where people posit themselves as security helpers, but actually are the opposite," he notes. "This could be a variation of … an insider attack."