The former chief operating officer (COO) of a cybersecurity firm who hacked two hospitals in an attempt to win business has changed his plea to guilty in an attempt to avoid a lengthy jail term. On September 27, 2018, two hospitals that are part of Gwinnett Medical Center (GMC) in Georgia suffered cyberattacks that disrupted their phone systems and printers. Access was gained to the phone system and a command was sent that disabled all phones that were connected to the system. The phones were used by doctors and nurses for internal communication, including code blue emergencies. More than 200 handheld devices were disabled.
On the same day, access was gained to a Hologic R2 Digitizer digitizing device that was connected to a mammogram machine, and the data of approximately 300 patients was stolen, including their names, date of birth, and sex. The data was then sent to more than 200 network printers in the hospitals that were used in conjunction with patient care, which were made to print the stolen data along with the message “We Own You”. A few days later, a Twitter account was used to post 43 messages, each of which included patient details stolen from the digitizing device to increase publicity about the cyberattack.
At the time of the attacks, Vikas Singla was the COO of the cybersecurity company Securolytics, which used the attacks to drum up business, citing the cyberattack in communications to potential new customers in an effort to win their business. Singla was indicted and faced 17 counts of causing intentional damage to a protected computer and 1 count of information theft in relation to the attackw and faced a maximum jail term of 10 years for each of the intentional damage to a protected computer counts and up to 5 years in jail for the information theft count. Singla pleaded not guilty and was released on bond.
A magistrate judge then recommended the criminal charges against Singla be dropped; however, a federal judge overruled. Singla’s attorneys then negotiated a plea deal that would see the charges reduced to one count of causing intentional damage to a protected computer in exchange for a guilty plea and payment of almost $818,000 in restitution – to cover the full costs incurred by GMC and its insurance company, Ace American Insurance Company, in relation to the attacks. Under the plea deal, the Department of Justice (DoJ) will recommend Singla be sentenced to 57 months’ probation, including home detention. Singla has been diagnosed with a rare form of incurable cancer and has a potentially dangerous vascular condition. His attorneys argued that incarceration would interfere with his medical care.
Singla admitted sending the command that disabled the phone systems and the printer attacks, and that his actions caused the Twitter account to send the messages. While the charges have been reduced and the DoJ will recommend 57 months of probation, the decision lies with the judge. Singla has waived his right to change his plea to not guilty and cannot now get a jury trial. The judge will decide on an appropriate sentence, which could be up to 10 years in jail, a hefty fine of twice the losses caused, in addition to full restitution. Singla will be sentenced on February 15, 2024.