HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems

In early August, a hacker made contact with Dissent of DataBreaches.net and claimed to have hacked into the systems of a HVAC vendor. Through that vendor the hacker claimed to have gained access to the networks of its clients, one of which was Boston Children’s Hospital.

The company in question is Canton, MA-based ENE Systems. DataBreaches.net reported in a recent blog post that the hacker had attempted to extort money from the HVAC vendor but the ransom was not paid. The hacker still claimed to have access to the network of ENE Systems and those of its clients and told Dissent that he/she was not interested in causing harm to the hospital. DataBreaches.net was asked to reach out to the hospital and make it clear that its network had been breached through the HVAC vendor, in case the vendor had not communicated the breach to the hospital. DataBreaches.net was provided with screenshots as proof of the hack.

While it was not confirmed whether the networks of other hospitals had been breached, ENE systems lists Brigham & Women’s Hospital and Mass General Hospital as its clients on its website.

Mass General Hospital issued a statement about the incident saying, “The hospital was made aware of potential cyber security issues involving one of its vendors. Once notified, immediate action was taken to follow appropriate guidance to mitigate the risk. Hospital systems and operations remain unaffected by this incident.” Boston Children’s Hospital also confirmed that its vendor had experienced a breach and stated there is no risk to hospital operations nor its business environment, and no patient data were affected in the security incident. Brigham & Women’s Hospital said it had not been notified about any issues with its HVAC vendor.

Supply chain attacks can see the systems of many organizations compromised, as the recent attacks on SolarWinds and Kaseya demonstrated. Attacks can occur at any point in the supply chain, and HVAC vendors have been targeted in the past as they are a potential security weak point.

One notable attack involving an HVAC vendor was the 2013 cyberattack on Target. Hackers gained access to the network of its HVAC vendor, Fazio Mechanical Services. The company was contracted to monitor Target’s refrigerated units and was provided with access to Target’s network to perform the contracted duties.

The hackers exploited that access, compromised Target’s network, then moved laterally and accessed its POS system and stole the credit card data of 41 million individuals and the contact information of 60 million customers. Target’s 2016 financial report put the total breach cost at $292 million.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.