Join me to hear the story of Vikas Singla, the COO of a cybersecurity company named Securolytics. Singla disabled the phones at Gwinnett (GA) Medical Center, stole protected health info from mammograms, and posted the patients’ info on Twitter to drive business towards Securolytics. This is eCrimeBytes Season 2 Episode 23: Hacking Hospitals With Vikas Singla – Act 2: Falling Down.
For the background, please check out:
- Chris Hacker? https://www.bleepingcomputer.com/news/security/cybersecurity-firm-executive-pleads-guilty-to-hacking-hospitals/
- https://www.crunchbase.com/person/vikas-singla (Photo)
- https://www.securityweek.com/coo-security-company-charged-cyberattack-medical-center/ (Photo)
00:00:10:00 – 00:00:32:54
Hey. Hey, you crazy bastards. Welcome back to this week’s episode of eCrimeBytes. This is where I research the court paperwork and roast the criminals so you don’t have to. This week I’m bringing you season two, episode 23. This is Vikas Singla and his hacking hospitals. So to recap on Act one, which was yesterday, I recommend you go back and watch.
00:00:32:55 – 00:01:02:53
I’ll put a link here for YouTube, but if you don’t let me give you a real quick recap so you’ll remember what I told you. Vikas Singla, he is COO, meaning he’s chief operating officer of this cybersecurity company called Securolytics. There was a medical center, Gwinnett Medical Center. And in Georgia, they have a couple hospital campuses. And in September 2018, Vikas Singla without permission.
00:01:02:58 – 00:01:36:04
Well, first he disabled their phones by modifying a configuration file for their phone system. So over 200 phones went offline. That was one issue. The second issue was he then broke into a mammogram digitizer machine and pulled protected health information from patients off of there and didn’t just keep it. He then took it and printed it out. Over 200 printers in the medical campuses with another message that says, We own you in caps.
00:01:36:09 – 00:02:00:59
So probably causing some fear in the people picking these up off the printer because they will probably look at this and know exactly what happened. And then he takes the info and posts on Twitter publicly. And when I say info, I mean the patients, the mammogram patients. He takes their info and posts it publicly on Twitter. And in the end, Securolytics
00:02:00:59 – 00:02:18:48
then goes back to their potential clients and say, Hey, check out this incident. Don’t want to be them, do you? Hire us. We can help you out with this kind of stuff. So that’s where I last left you. And now I’m bringing you into Act two, falling down. Because biggest thing, like he’s he’s at the pinnacle right now.
00:02:18:48 – 00:02:44:50
He’s living the high life. He thinks, you know, he’s going to get all this business because there’s this public incident that he caused that he’s pointing to to potential clients. He thinks Securolytics is going to get business hand over fist. Well, it’s going to be a little different because the medical center starts doing some investigation and they figure out they’ve got some losses close to $1,000,000.
00:02:44:50 – 00:03:12:10
It’s actually $817,000 in losses. Now, like I’ve told you, another episode, sometimes court paperwork, it’s spotty. There’s information missing here. It’s not clear if Vikas Singla and Securolytics were ever hired by the medical system. I didn’t find that definitively, so I don’t want to say that. But it’s also not clear how they figured out it was Vikas Singla.
00:03:12:15 – 00:03:36:06
But they did. I imagine if he used to work there, there was probably some account attributed to him that they were able to trace it to. If he didn’t work at there, I imagine they traced it to some IP address or that computerized number I, you know, number address that I’ve been telling you about. They traced to that which could then possibly go to where he was living or working at the time.
00:03:36:11 – 00:04:01:51
But at some point they know it’s him and they get an arrest warrant and they arrest him. And this is June 8th of 2021. He’s arrested. So he’s arrested for 18 counts. The first count is intentional damage to a protected computer. Now, that’s a legal way of saying a computer on the Internet. That’s what a quote unquote protected means.
00:04:01:51 – 00:04:24:26
In legal words, it’s a lot. Trust me. It’s paragraphs long in legal words. But that’s what it boils down to, is a computer on the Internet doing interstate communications, which is pretty much any computer on the Internet. So they’re charging him with intentional damage to that computer. But specifically, it’s not a computer. It’s a phone system. In legal paperwork,
00:04:24:26 – 00:04:54:46
they call it a computer. So this is the phone system that I told you about. This is the count later on that’s going to be important. So keep that in mind. Now counts two through 17. This is these are also intentional damage to a protected computer. Not computers it’s actually printers. So these are 15. Yep. 17 minus to 15 different printers that they selected other 200 to charge them against.
00:04:54:51 – 00:05:19:01
Okay, Count 18, this is a vague one obtaining information by computer from a protected computer. So it sounds like that’s stealing data from one of those computers. So probably this is the digitizer that I told you about earlier. That’s the that’s this charge. If I had to guess, this is me reading between the legal lines here.
00:05:19:01 – 00:05:27:13
So he gets charged this this is how it works is it gets charged and then he has time to make some arguments.
00:05:27:13 – 00:05:50:04
You know, hey, this evidence is false. I should throw it out. Hey, this argument is false. That should be thrown out, that kind of stuff. So this is what’s called motion practice and it takes a while. So this practice happens for a while. And then in November 16th of 2023, he says, I’m guilty, but I’m only guilty to one count.
00:05:50:13 – 00:06:21:05
And that one count was the phone system that I just told you to pay attention to. Count one intentional damage to a protected computer for the phone system. Now, the best I can tell his max prison that he’s facing for this is ten years. His minimum there is none. Makes things interesting, right? In this guilty plea, the government and Singla agree to a recommended 57 months of home detention.
00:06:21:05 – 00:06:49:28
So it’s just shy of five years of home detention. And I thought, wait, if max is ten years in prison and there’s no minimum, why are they recommend 57 months of home detention? That seems really light. Well, I dug into the paperwork and he apparently has a rare form of cancer that they claim requires more prompt medical attention than he would get in prison.
00:06:49:33 – 00:07:13:10
And I thought, holy crap, do other people get this consideration. This is the first time in I think it’s 43 some odd cases I’ve done where I’ve seen this thing happen, where it’s, hey, this guy is so medically bad off that we’re going to let him be at home. It didn’t stop there. They said in addition to this cancer, he also has potentially dangerous vascular condition.
00:07:13:14 – 00:07:39:19
So that was a reasoning for recommending the 57 months at home. I stopped here for a moment because when I learned about his cancer and his vascular condition, I thought how fucking ironic it is that he’s fucking around with the health care system that he relies upon for his health. And now to stay out of prison, right? I mean, that’s some irony.
00:07:39:24 – 00:08:02:16
They also agreed in this guilty plea to a $817,000 restitution to cover what the medical center experienced, specifically the hospital, North Side Hospital got 89,000 and this Ace American Insurance Company got the rest. I imagine the insurance company probably covered most of the damages.
00:08:02:16 – 00:08:13:41
And now with that, that was the last thing in the case. Sentencing is now set for February 15th, 2024 at 10 a.m..
00:08:13:46 – 00:08:33:02
And I brought you this case right before sentencing happened because it’s all it’s almost the holidays here. We’re almost flip in the new year in to 2024. I thought I’d be good to get this case out there in case once his sentencing happens, you can watch this and hopefully understand what this whole case was about. Now, I will tell you, I monitor these cases.
00:08:33:07 – 00:08:53:57
This is what’s scheduled. More times than not, this is not the time that will actually happen. It’ll get closer. Somebody will raise an objection or they’ll have a hearing or something, and it’ll push this date back further and further and further. It can be months. It could be years in some cases before I see people go from the guilty plea to the sentencing.
00:08:53:57 – 00:09:23:50
So you may have a real quick update in 2024 or you may have it later. It just depends on when it is that this case wraps up. So one thing I want to show you is his LinkedIn profile, because it’s different now. I wanted to see what he said he did, and this is what it was that I have on your screen now that he says he does now that he has pled guilty. Securolytics does not show up on his profile at all.
00:09:23:50 – 00:09:50:10
He says he is a technology evangelist. He doesn’t have any posts. He has over 500 connections. And if you look at his experience, he does not have Securolytics anywhere on there. His last experience ended in October of 2011, which I believe is probably around the time he switched over to Securolytics if I had to guess. So that’s it.
00:09:50:10 – 00:10:14:44
That’s that’s the whole case. That’s all the evidence I’m going to give to you. So some of the final thoughts I have. 57 months. All right. That felt about right for what he did in this case. And it’s actually posting protected health information of of, you know, hundred, maybe a couple of hundred people, 57 months that felt about right he maybe more.
00:10:14:44 – 00:10:38:58
But I wish in here they would have figured out or they would have at least shared with the public more details and how they figured out with Singla if he was, you know, hired there, what it was they used to do for him, all that kind of stuff that would help round out that story. Because where I jumped in in this case was kind of where he was already in the Medical system’s network.
00:10:39:03 – 00:10:59:42
And it felt like there was a whole bunch of stuff that was missing, at least from a human wanting to know the story standpoint. Now, listen, I work in the cybersecurity industry. I don’t want you to walk away here like any other industry that I cover with any of the defendants. Don’t walk away thinking that the cybersecurity industry is bad.
00:10:59:47 – 00:11:21:49
Just like when I talk about police officers. Not all police officers are bad. When I talki about lawyers. Not all lawyers are bad and so forth. There are a lot of really good cybersecurity companies out there. Don’t let this color your opinion of us at all. And I say this because not a lot of people have experience with cybersecurity companies because hopefully you don’t have to deal with those issues.
00:11:21:49 – 00:11:44:29
But if you do just know that they’re not all bad like this. Another thought I had was how bad medically off do you need to be to get home detention? Where’s that cutoff point? I have no idea. I know that if you’re probably near hospice, you won’t go to prison. But in this case, it sounded like he was in remission.
00:11:44:34 – 00:11:53:56
But they wanted to be able to catch it if he came out of remission. Again, that’s all speculation on my part, because there wasn’t any more thing more specific than what I brought you.
00:11:53:56 – 00:12:10:27
All right, so that’s it. That’s all with this case. Now, here, I want to say happy holidays and New Year. Okay. We brought to you 43 episodes in two seasons of our first year, 2023.
00:12:10:32 – 00:12:30:23
I wasn’t sure if I’d bring you even ten. I wasn’t sure if I could bring a case every week. I wasn’t sure if there were enough cases to bring every week. I found and learned a lot over the past year and, you know, I hope you stuck with me and saw the quality improve from one episode to the next.
00:12:30:23 – 00:12:52:17
As I figured out, you know, the sound issues and the video issues and put music the things at the right levels and, you know, made the resolution of the video correct and able to put the slides in correctly. So we’ve come a long ways and I wanted to say thanks. Thanks for sticking with me. I hope everybody has a happy holidays, whatever holiday you celebrate and everybody has a happy New Year.
00:12:52:22 – 00:13:15:46
For season three, Season three is going to start brand new, new season in January 2024. So I’m going to say come back check often in 2024. I’m going to take maybe a week, two weeks, maybe two weeks break while I figure out and add new things and research out new episodes for season three to start off the ground running in the New Year.
00:13:15:46 – 00:13:31:55
So I hope to see everybody back in the New Year. And while you’re here before you go, please like, subscribe, follow, thumbs up, reshare, whatever it is the positive affirmation is on your platform. It really helps me out a lot when you do that.
00:13:31:55 – 00:13:49:25
It just lets more people see this podcast and I get more exposure and it’s the single most important thing you could do to hopefully thank me for the research I put into these cases. So with that, I hope to see you all back in 2024 and we’ll hit the ground running. Thanks. Bye.