HONOLULU — Approximately 3,400 death records maintained by the state Department of Health’s Electronic Death Registry System were accessed by an unauthorized individual on Jan. 20, according to the department.

The breach was discovered by the cybersecurity threat intelligence company Mandiant and reported to DOH, the state Office of Enterprise Technology Services and the Office of Homeland Security on Jan. 23.

According to the Mandiant report, an EDRS external medical certifier account was compromised and its login credentials put up for sale on the dark web. DOH immediately disabled the account and began an investigation.

DOH determined that the account belonged to a former medical certifier at a local hospital. The person left the job in June 2021, but the account was not deactivated.

The records that were compromised were for deaths dating back to 1998, with 90% from 2014 or earlier. The records contain the decedent’s name, social security number, address, sex, date of birth, place of death and cause of death.

According to DOH, 99% of the records had been certified and, therefore, could not be altered. The remaining records were reviewed by the department and determined to not to have been certified by the unauthorized user.

The department said no death certificates were accessed or generated. Regardless, it is encouraging affected parties to monitor any remaining unsettled matters, such as accounts, estate, life insurance claims or Social Security survivor benefits.

DOH will send notification letters about the breach this week to surviving spouses or the person who reported the death.

The department is also implementing additional security measures for EDRS external accounts and conducting a security review of external accounts for all of its systems. 

In 2018, DOH reported a breach of its Disease Outbreak Control Division surveillance computer server.

Michael Tsai covers local and state politics for Spectrum News Hawaii.