Hacking Hospitals With Vikas Singla – Act 1: Theft Of Mammograms

Join me to hear the story of Vikas Singla, the COO of a cybersecurity company named Securolytics. Singla disabled the phones at Gwinnett (GA) Medical Center, stole protected health info from mammograms, and posted the patients’ info on Twitter to drive business towards Securolytics. This is eCrimeBytes Season 2 Episode 23: Hacking Hospitals With Vikas Singla – Act 1: Theft Of Mammograms.

Sources:

Transcript:

00:00:10:00 – 00:00:33:15
Keith
Hey. Hey, you crazy bastards! Welcome to this week’s episode of eCrimeBytes. This is where I research the court documents and roast the criminals so you don’t have to. So this week I’m bringing you season two Episode 23 Hacking Hospitals with Vikas Singla. Okay, so the criminal in this case, like I said, his name is Vikas Singla.

00:00:33:20 – 00:01:12:03
Keith
He’s a cybersecurity company COO. Now, this cybersecurity company, their name is Securolytics. s e c u r o l y t i c s. So as a COO, you can imagine he’s probably technical and he’s upper management. He’s, you know, close to ownership. He’s executive position of this company. So he’s in the industry that I am in cybersecurity. So he would be knowledgeable of all of this stuff that I’m bringing to you of all the hacks and so forth.

00:01:12:03 – 00:01:33:34
Keith
So this is, I believe, how he knows to do what it is that he does. And what he does is he damages computer systems. And I say computer systems very loosely here. We’re going to be talking about phone systems, printers and things like that, too. Now, the victims here, Gwinnett Medical Center, I’m just going to call them the medical center throughout here.

00:01:33:39 – 00:01:59:17
Keith
They’re a medical center. That’s a nonprofit. And they have hospitals in Duluth and Lawrenceville, Georgia. Now the medical center, they have phone systems that’s going to be part of the hack here that we’re going to be talking about. They also have printers, also part of the incident. And then Twitter is going to be involved near the end. Pretty interesting tidbit there that you definitely going to want to hear about.

00:01:59:21 – 00:02:32:32
Keith
That’s kind of the pinnacle of the case, in my opinion. So why did I pick this case? I tried to. Okay. I tried to sit there and I’m closing my eyes for audio listeners. And I try to put myself in the place of a woman going in and getting a mammogram, probably being incredibly tense about it and being stressed either because, A, you don’t want to have a finding or B, you want to make sure your finding doesn’t come back right?

00:02:32:37 – 00:03:01:31
Keith
In either of those instances, the patients can be extremely stressed and then they get caught up in this cybersecurity incident. It adds to that stress. It just blows my mind. And that’s that’s the reason why I picked this case, is imagine that poor patient getting caught up in this mess unknowingly. And stick around and I will tell you what the mess is in here in a second, because we’re going to start with Act One, which is theft of mammograms.

00:03:01:36 – 00:03:22:20
Keith
So the defendant in this case, his name is Vikas Singla. I have his pictures on the screen here. Left hand side picture came from Twitter. That was his profile picture on one of the Twitter accounts. And then the right hand side came from his LinkedIn accounts. Now, unfortunately, I didn’t get this case before he changed his LinkedIn LinkedIn profile.

00:03:22:25 – 00:03:46:40
Keith
So I did get a copy of it before he changed it. And I’ll put it on your screen here. It shows that image that I just showed you on his LinkedIn profile and it says his name and it says COO at Securolytics. So again, upper management at this cybersecurity company in the Atlanta, Georgia, metropolitan area. Now, this profile changes.

00:03:46:40 – 00:04:03:21
Keith
I’m going to show you what it changes to at the end of this episode. So stick around and I’ll show you. Now, I wondered who Securolytics was and what they did. So I went to their website and here’s their home page as it came to me. You can see just in big, bold letters managed cloud security platform.

00:04:03:34 – 00:04:32:22
Keith
This means they are squarely in the cybersecurity industry. You know, they should know about hacking. They should know about breaking into vulnerabilities, finding vulnerabilities, defending against them and stuff like that. So then I tried to see what type of products they had. And down at the bottom they said they do Iot asset discovery, Iot vulnerability detection, Iot network access control and Iot firewall.

00:04:32:27 – 00:04:57:17
Keith
And what all those things mean is Iot is Internet of things. So think anything beside your phone, tablet or computer. So think of things like light bulbs that are smart or refrigerator or your doorbells or cameras. All those type of things are considered Iot or Internet of Things. They’re on the Internet, so they deal with that subsection of cybersecurity.

00:04:57:22 – 00:05:36:40
Keith
Not only that, but they say they also do office 365 security. So that’s like your email type of security and log management, because corporations typically have a lot of logs. That’s that’s partially what I deal with in the cybersecurity industry is generating network logs. And a lot of times they’ll corporations will have terabytes of logs and they just won’t have places to store them, and they’ll need somebody to help them, you know, manage them and organize them and make them accessible in case something bad happens like this to pull and figure out, you know, who did it or who done it.

00:05:36:45 – 00:05:59:27
Keith
Okay. So immediately when I was searching for Securolytics I was looking for their website. I typed their name into Google. Like any rational Internet user these days. And Google tells me this is what Securolytics is. On the left hand side, that’s a Google profile. So I thought, yeah, it looks like your general cybersecurity company, except for they have a 3.8 out of five ratings.

00:05:59:27 – 00:06:28:58
Keith
And I thought to myself, I’ve never seen anybody rate another cybersecurity entity product or anything on Google and have it be taken seriously. Usually there’s other channels, you know, like, you know, there’s like Gartner reviews and industry reviews. People don’t typically go to Google when they shop for cybersecurity company. So finding a review in here was very interesting to me, and finding a low review in here was even more interesting to me.

00:06:28:58 – 00:06:44:57
Keith
So I went and dug into that and I pulled up the low review. They had four, so this low one drove it down to 3.8. And I’m going to read it for you because this is actually this correlates with stuff this company does later on. It’ll make sense when I tell you stuff later on. So just stick around.

00:06:44:57 – 00:07:13:02
Keith
I’m going to read you what they said here and give me my opinion on it. So a reviewer came along, their name was Sandbox for Vendors and they had their profile picture is Fred Flintstone. And, you know, so it’s not a real human being picture or anything. And they gave it a one star six years ago and they said unsolicited advertising emails from Jeff Councill taking advantage of the WannaCry hysteria, reported as spammer.

00:07:13:07 – 00:07:38:47
Keith
Now WannaCry was a malware that came out several years ago that got a lot of publicity. And yes, security companies definitely used it to, they used it as an example to try to pull some more customers to their services. Now all that kind of makes you read that and you’re like, Yeah, that kind of sounds like pretty much any company that’s advertising, right?

00:07:38:51 – 00:08:01:25
Keith
But this this is the part I wanted to read to you is the response from the owner. And it’s amazing. Okay, I’m going to read it verbatim and then I’m going to give you my opinion. It says, Thanks so much for contacting Securolytics. Our team of experts are on the forefront of stopping breaches like WannaCry. We will never sit by and allow our clients to be harmed by cyber criminals.

00:08:01:37 – 00:08:24:38
Keith
Let’s not mince words. Ransomware is a serious crime perpetrated against innocent organizations. Securolytics has tools to proactively help our clients and we will never give up our vigilance. Please contact. And then they gave their phone number to learn more. So my God. It’s like that person complained and they couldn’t even give me, Hey, I’m sorry you didn’t like our advertising.

00:08:24:38 – 00:08:48:55
Keith
They gave them more fucking advertising in the response. It reminds me of one of my favorite holiday movies. This is. I’m shooting this episode during the holidays, so my favorite holiday movie is A Christmas Story, and it’s when the little boy gets that decoder ring and he thinks it’s a secret decoder to Little Orphan Annie’s messages coming across the radio and he listens to it.

00:08:48:55 – 00:09:09:55
Keith
He gets, you know, he gets his pencil paper. He sits down and he writes it down and he gets this thing. And he finally, because it says, Drink more Ovaltine. And he’s like, Fuck me, it’s advertising. And that’s how I felt when I read this review. I was like, Yeah, that’s it. That’s kind of a legit review. And then this person, I’m just going to advertise my response to this person complaining about the advertising.

00:09:09:55 – 00:09:32:30
Keith
It’s just complete irony. Okay, So then I shifted my attention to the Gwinnett Medical Center because I wondered what this medical center was, what their campus was like. And so forth. So I look them up on Google to find their web page like any sane person probably would. And then I saw their profile and it was 2.2 out of five stars.

00:09:32:30 – 00:09:55:45
Keith
And I thought, Holy shit, how bad is this medical center to get 2.2 out of five stars? It’s not even every other person is on it. More than every other person is unhappy with this place. Okay, So then I was like, I clicked on their reviews and I saw that one of the top ones was like very helpful, caring and friendly group of doctors, nurses and staff.

00:09:55:50 – 00:10:13:25
Keith
And then I switched to a one star review and says, not to mention they charge criminally high prices for treatment. And I thought to myself, Well, that just sounds like that. It sounds like the medical industry. So I read another one and says, my God, this is ridiculous. People wait close to 7 hours to see a doctor.

00:10:13:25 – 00:10:38:19
Keith
And I thought, also sounds like the medical industry. And not specific to this medical center. So then I said, I’m going to check out one of my local establishments, one that I visit that I know is, you know, pretty decent. I’ve been there myself several times and they got like a three out of five stars. So I think this is kind of normal for the medical industry for people to complain.

00:10:38:24 – 00:11:07:44
Keith
In Google reviews about them. That’s that’s what I found. I don’t know. Your experience might be different, but that’s what I found, just kind of Googling around different medical places. So they’re the victim in this case. All right. Because on September 27th, 2018, Victor Singla modified a configuration template for the ASCOM phone system for the medical systems in Duluth, Georgia Hospital campus.

00:11:07:44 – 00:11:35:20
Keith
Now, it was clear in the court paperwork that he, Mr. Singla, did not have permission to do this change. I couldn’t definitively put my finger on whether or not the medical center has hired Securolytics now or any point and whether or not Singla had access because of that or because he hacked in and just, you know, breached their system and was in it.

00:11:35:25 – 00:11:53:59
Keith
So there could be two scenarios, right, where he was an insider because they hired him at some point or he was never an insider and he broke in. I couldn’t put my finger on which case was his. So throughout this case, I don’t have that information, but I don’t think it I think it makes it doesn’t make the case.

00:11:53:59 – 00:12:17:21
Keith
There’s a lot of other things in the case here that we’re going to pay attention to here. So he makes this change in the configuration file for the phones. And he didn’t have permission to do this. And what happened was 200 more than 200 hospital phones stopped working. Now, I’ve been in the hospital. I had very serious spinal cord surgery.

00:12:17:21 – 00:12:39:35
Keith
I was at Johns Hopkins Hospital for a couple of days. I got to see how these things work from the inside out. I mean, they everything is well oiled from, you know, when they bring you out of surgery and when they’re waking you up with, you know, there’s phones next to your bed, there’s like little indicators where I could get their attention.

00:12:39:40 – 00:13:03:14
Keith
You know, there’s communication everywhere to monitor people. And I was in ICU and it was very well monitored there. And even in just the general hospital, there was also all this communication. So the fact that he went into a hospital like this and disrupted phones, you can imagine somebody like myself that would have been there would have been like, holy God, I’m in the hospital right now and they’re having a phone problem.

00:13:03:14 – 00:13:32:54
Keith
I really hope I don’t have an issue because that requires the phone, because right now we don’t have them. So these are the phones that these doctors in this medical facility, they said in the court paperwork that they use them for these code blue emergencies. So the point in time when you need communication, they use them and they’re now inoperable. Also because they are phones, people can’t call outside the hospital either.

00:13:32:54 – 00:13:58:09
Keith
So I imagine calling things into pharmacies or ambulance services and things like that, couldn’t make phone calls. And so I wondered what this ASCOM was and I apologize if I’m mispronouncing it might be ASCOM, but they’re a vendor, they’re a phone vendor. And when I go to their home page, they show they show more wireless devices than they do wired devices.

00:13:58:09 – 00:14:19:09
Keith
So they didn’t specify in the court paperwork if these are actual wired phones in the hospital. That’s kind of what I imagined. But this company shows their wireless products on their home page that I have on your screen right now, which is like smart phones and these VoWiFi phones and these pagers that I imagine all are things that doctors use as well.

00:14:19:09 – 00:14:56:08
Keith
So just know the phone systems inside the medical center have now gone down September 27th, 2018. And it’s this company, this vendor specifically is their systems that went down. No fault of this vendor. It’s because Singla, same day, Singla then gets on this Hologic R2 digitizer connected to a mammogram machine. If you’re not familiar with a mammogram machine, this is where they I think it’s x ray.

00:14:56:08 – 00:15:28:40
Keith
I’m not sure the exact technology, but they they photograph the breast in order to look for breast cancer. So it’s a digitizer that takes the images that come out of the mammogram and makes them into digital images. So you can imagine they have patient information connected to them like name, dates of birth, gender and things like that. Well, Singla got on this digitizer and pulled the protected health information from over 300 patients.

00:15:28:44 – 00:15:51:57
Keith
So now he has access to protected health information that he’s not supposed to have access to. He was never given permission to do this either. If he worked there at some point, which I’m not sure, or if you broke in, he was never given permission to get this information. And now he has access to it. This digitizer was only accessible from the medical system’s VPN or their virtual private network, and it was password protected.

00:15:51:57 – 00:16:13:35
Keith
So it’s not something out there that’s just hanging in the wind on the internet that Keith Jones can log into and pull data from. You had to be on the Medical System’s network in order to get to it. It was protected, is what I’m saying. And I wonder just what did this thing look like? So I think I found their user guide, which I tell you, I flipped through it.

00:16:13:35 – 00:16:42:46
Keith
In this thing, you do need to be a rocket scientist to understand medical stuff because it’s complex. So I showed you the cover photo, which is about as much as I understand of this medical system. It looks like, I don’t know, like a wheelie cart with a digital touchpad. I guess, on top of the cart. And then it’s got like this flat screen monitor off on an arm on the right hand side, and they’re showing kind of like an image through a grapefruit of some sort.

00:16:42:51 – 00:17:11:30
Keith
And it’s just this Holigic R2. So when you’re trying to think of what it was he logged into and what he pulled data from, it was this machine. It wasn’t a generic computer on the network. Same day, new incident, but it’s related. Singla printed a file name I’ll spell for you first it’s B A I D U dot txt.

00:17:11:35 – 00:17:42:01
Keith
He sent this file to 200 printers in the Duluth and Lawrenceville Hospital campuses. The file contained that personal health information that I just described to you stolen from that mammogram digitizer and it also had a message for the people reading it on the other end. It says, We own you in all caps. This was done through the medical system’s VPN to get to these printers.

00:17:42:05 – 00:18:10:38
Keith
These printers were used for patient care. And you can imagine anybody that had access to these printers that saw this data come across and says, we own you would have a lot of fear because they would know that was a serious, serious thing that they just witnessed. It would also be a denial service because you can imagine if people freak out and turn off the printer or there’s too many print jobs coming across when you have to use these printers to print somebody’s chart or something like that, it’s not accessible.

00:18:10:42 – 00:18:41:36
Keith
Now, I can say with authority because the documents said so in the court documents that said Singla had no permission at all to do any of this. So this was another cybersecurity incident attributed to him in the court documents. They only charged Singla with about 15 counts. Instead of all 200 plus printers. And I’m just putting you a summary of all the counts they charged them with later on with these printers.

00:18:41:36 – 00:18:57:00
Keith
These are the what they said the printers are most of them are Lexmark printers, and they give the IP address or that computerized address of where they’re accessible from on the Internet. And it’s counts two through 17. Later on, they get attributed to these printers that they charge them with.

00:18:57:00 – 00:19:01:28
Keith
Okay. And if you’re going, holy shit, this guy is a douche bag.

00:19:01:28 – 00:19:16:56
Keith
I can’t I don’t know what else he could do that’s worse. I got one more thing he did for you. One more thing. And this is the one where I shake my head and I was like, You just took it too far. Not that he. He took it too far before, but this is this is really too far.

00:19:17:01 – 00:19:45:13
Keith
And October 2nd, 2018, there’s this Twitter account. Or if you’re just joining the game, it’s called X now, but I’m going to say Twitter. There’s a Twitter account also called Baidu. And a random number. Baidu spelled the same way as that text file earlier that I told you that was printed. This account posted 43 public messages claiming that that medical center was hacked.

00:19:45:18 – 00:20:09:52
Keith
That would be enough to make them shit a brick. The medical center. Right. If you’re a patient and you saw that, that would be enough to make you shit a break, right? Imagine if you were one of the patients that were posted their medical information. So this this this account posted that stolen information on there as sort of like proof that the medical system has been hacked.

00:20:09:57 – 00:20:34:42
Keith
So imagine if you were one of those patients that you look up there and you’re like, holy shit. Keith Jones, gender male and it has my birth date. You would be probably pretty irate and I imagine rightfully so, litigious at that point if you saw your personal information used it a hack at that point. Now, I went out there and I thought I hope to God this information still isn’t there.

00:20:34:42 – 00:20:40:19
Keith
And I tried to find this account and it doesn’t appear to be there, thankfully. So it looks like that information is gone.

00:20:40:19 – 00:21:02:50
Keith
And so remember at the beginning and I said, I’m reading you a Securolytics review because it was like an ad when a person was complaining about their ads. Well, at this point in time, Securolytics tries to make money off this incident, Securolytics pointed to this public event of this medical system.

00:21:02:55 – 00:21:38:34
Keith
They emailed potential clients and they offered their services. So they took this public event. We’re like, Hey, look at this. We can help protect you from stuff like this. That’s very, very consistent with the Google Review where somebody complained and then they answered them with an ad, right? It’s like everything this company does is ad ad ad. So this part this is where, you know, I described to you the crime and then I now described to you where the company got involved with crime, because of Vikas Singla.

00:21:38:34 – 00:22:08:23
Keith
He’s COO at Securolytics, where they’re doing this underhanded ad campaign. So with that, I am done with Act One. If there’s anything you liked in this act or episode, please like, subscribe, follow, thumbs up or reshare. Reshare this with any of your friends think might like true crime podcasts because tomorrow, tomorrow I’m going to come back and I’m going to bring you Act two, which I titled Falling Down.

00:22:08:23 – 00:22:30:16
Keith
And that’s kind of he’s he’s on top of the world right now because he’s got everything and he’s advertising to these companies, hoping he’s going to get business from all these companies because they’re pointing at this incident that he caused. But that’s the pinnacle. He’s going to fall down from here. So join me tomorrow and I’ll give you act two Falling Down, thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *