Health Hacker?

The FBI is investigating whether a hacker broke into the state’s confidential cancer registry, possibly holding personal information and medical records hostage.

Health and Human Services Commissioner Tom Suehs says state health officials notified his office in early May that a hacker was holding the Texas Cancer Registry hostage and demanding a ransom. Suehs says preliminary investigation results from the FBI indicate the threat may be a hoax, and officials with the Department of State Health Services, which oversees the cancer registry, say they don’t believe the names, dates of birth, Social Security numbers and personal medical information contained in it were stolen. But if the FBI determines private records were revealed, Suehs says, health officials will quickly notify the people listed in the registry.  

“This is an incident that makes everybody’s antennas go a little bit higher, and I’m using it as an opportunity to elevate our awareness of our responsibility to protect information,” Suehs says. “Nothing is 100-percent secure. But I think [most of] our systems, our processes, worked. And that’s the positive thing.”

The security scare comes at a sensitive time for the state’s health agencies, which are making plans for an electronic superhighway to exchange Texas medical records — and expect an influx of federal dollars to help do it. Privacy advocates are already nervous about whether the state has the technology safeguards to keep these records out of hackers’ hands.

“It should be a wake-up call that security is not up to par,” says Deborah Peel, a national patient privacy advocate based in Austin. “We have terrible infrastructure when we need to have a Fort Knox-level of security. What happened to the cancer registry could happen to any one of the state’s giant databases.”

While it’s common for state agencies and universities to get hit with computer viruses and other data security breaches — there are thousands of incidents reported every month, according to state information technology records — it’s very rare for the FBI to be called in to investigate. Lawmakers, who have left the Health and Human Services Commission’s recent requests for information technology upgrades mostly unfunded, say this latest security incident leaves them with no choice but to foot the bill, even in a tougher-than-tough budget cycle. 

“There’s no question we need to fund it,” says state Sen. Bob Deuell, R-Greenville. “There’s nothing more sacred than protecting private information.”

Suehs says that when he first learned of the alleged hacking incident, he was told the cancer registry “was being held hostage, and that there was a ransom involved,” and that the FBI had been notified. He says the system firewalls apparently activated and that the records appeared safe. Still, he dispatched his agency’s inspector general and an internal auditor to review the incident and demanded frequent updates from DSHS and the FBI.

FBI Special Agent Erik Vasys confirmed that federal investigators are “conducting an inquiry within the Department of State Health Services” but declined to comment further.

Carrie Williams, a DSHS spokeswoman, declined to give detailed information on the incident, saying she didn’t want to jeopardize the investigation. But she refuted the theory that there was a ransom involved and said the alleged security breach looks like “an isolated, one-time incident.”

“We expect to receive an analysis of the investigation and additional guidance in coming weeks,” Williams says.

Information technology experts say it’s possible that the message the agency got from a supposed hacker was actually a virus. Indeed, Suehs says, when FBI investigators replied to the threat, they got no response. But Suehs says the FBI informed his office as recently as Thursday that the incident was probably a hoax — and that the message may have been sent from inside the agency. 

It’s a crime, regardless of whether it was a hoax, Suehs says. And even if no records were compromised, he says, the incident exposed security holes that need to be addressed. In the last two budget cycles, his agency has requested more than $9 million for information technology improvements, Suehs says. Lawmakers have granted the commission $600,000.

Information technology upgrades are “a difficult thing to ask for, and it’s difficult for the Legislature to prioritize,” Suehs says. “But this is a legitimate concern, and I think state agencies have a responsibility to make it their highest priority.”