Hacking at HVAC Vendor: Access Acquired to Hospital Systems

At the beginning of August, a hacker contacted Dissent of DataBreaches.net and professed to have acquired access to the systems of an HVAC vendor and the systems of its customers, such as Boston Children’s Hospital.

The firm involved is ENE Systems based in Canton, MA. DataBreaches.net reported that the hacker had tried to extort cash from the ENE Systems, however, the vendor did not pay the ransom. The hacker nonetheless claimed to have gained access to the ENE Systems’ network as well as its clients and informed Dissent that he/she wasn’t keen on bringing about problems to the hospital. DataBreaches.net was asked to communicate with the hospital and ensure the breach of its network via the HVAC vendor if the vendor hadn’t conveyed the system breach to the hospital. Screenshots had been given to DataBreaches.net to prove the hack.

Although the systems breach of other hospitals wasn’t confirmed, Brigham & Women’s Hospital and Mass General Hospital is listed as a client on ENE Systems’ website.

Mass General Hospital released an announcement regarding the incident stating that the hospital was informed of possible cyber security problems that involve one of its vendors. As soon as informed, prompt action was done to observe proper guidance to minimize the risk. Hospital systems and procedures were not affected by the incident. Boston Children’s Hospital additionally affirmed that its vendor had encountered a breach and reported there is no threat to hospital procedures nor its company environment, and that no patient information was impacted in the breach incident. Brigham & Women’s Hospital stated it did not receive any notification of any problems with its HVAC vendor.

Supply chain attacks can compromise the systems of a lot of companies, just like what is seen in the latest attacks on Kaseya and SolarWinds. Attacks can happen at any stage of the supply chain, and HVAC vendors were targeted previously as they’re a possible security weak point.

One well-known attack that involved an HVAC vendor was the cyberattack on Target in 2013. Hackers acquired access to the system of Fazio Mechanical Services, an HVAC vendor that was contracted to keep track of Target’s refrigerated units. Because of the contracted responsibilities, the HVAC vendor was given access to Target’s system.

The hackers took advantage of that access, breached Target’s system, then moved laterally to access the POS system and steal the credit card information of 41 million people and the contact data of 60 million consumers. Target’s 2016 financial report records the cost of the breach at $292 million.


About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA