Former infosec COO pleads guilty to attacking hospitals to drum up business
Admits to taking phones used for 'code blue' emergencies offline and more
An Atlanta tech company's former COO has pleaded guilty to a 2018 incident in which he deliberately launched online attacks on two hospitals, later citing the incidents in sales pitches.
Under a plea deal he signed last week, Vikas Singla, a former business leader at network security vendor Securolytics – a provider to healthcare institutions, among others – admitted that in September 2018 he rendered the Ascom phone system of Gwinnett Medical Center inoperable.
Gwinnett Medical Center operates hospitals in Duluth and Lawrenceville and the deliberate disablement of the Ascom phone system meant the main communication line between doctors and nurses was unavailable to them.
More than 200 phones were taken offline, which were used for internal communications, including "code blue" incidents that often relate to cardiac or respiratory emergencies.
Singla also gained access to Gwinnett Medical Center's VPN, which in turn afforded him access to a Hologic R2 Digitizer, a device connected to mammogram machines. The device also stored the personal data of patients, including names, dates of birth, and sex.
For more than 300 patients, this data was stolen by Singla and added to a document called "Baidu.txt." Singla later executed a print job on more than 200 printers across the two hospitals' campuses, revealing all the stolen data, along with the words "WE OWN YOU."
The plea deal [PDF] stated that this could have caused "fear among medical staff and impair the provision of hospital services."
Singla then took to a now-closed Twitter/X account to post 43 tweets, publicizing the incident, with each of the 43 messages containing some stolen personal information from the mammogram's digitizer.
After all of the events had transpired, Securolytics began emailing potential clients regarding new business opportunities, citing the publicized attacks.
- UnitedHealthcare's broken AI denied seniors' medical claims, lawsuit alleges
- Mac daddy Woz hospitalized in Mexico over mystery malady
- Canada goosed as attackers shutter hospitals and China deepfakes its politicians
- AI girlfriend encouraged man to attempt crossbow assassination of Queen
Neither Securolytics nor Northside Hospital, Gwinnett Medical Center's new name, responded to The Register's request for comment.
"Criminal disruptions of hospital computer networks can have tragic consequences," said acting assistant attorney general Nicholas L. McQuaid of the Justice Department's criminal division, at the time of Singla's 2021 indictment.
"The department is committed to holding accountable those who endanger the lives of patients by damaging computers that are essential in the operation of our healthcare system.
"This cyberattack on a hospital not only could have had disastrous consequences, but patients' personal information was also compromised," said aptly named Chris Hacker, special agent in charge of FBI Atlanta.
"The FBI and our law enforcement partners are determined to hold accountable, those who allegedly put people's health and safety at risk while driven by greed."
Guilty plea, but (maybe) no prison…
Pleading guilty to one count of intentional damage to a protected computer, Singla faces a maximum prison term of 10 years, though he may not ever see the inside of a cell.
The court was recommended to instead sentence Singla to 57 months of house detention due to his suffering an "extraordinary" rare and incurable form of cancer. Any delay to his surgery, should the cancer recur, may render his condition inoperable, according to the plea agreement.
The decision to recommend the alternative to incarceration was also influenced by a "dangerous" vascular condition, from which Singla also suffers.
He will have to pay $817,804.12 in restitution to Northside Hospital and Ace American Insurance Company for the damages incurred by the attack, plus any applicable interest that accrues by the time he's sentenced on February 15, 2024. ®