Vikas Singla was the chief operating officer of Atlanta-based cybersecurity firm Securolytics in 2018 when two local hospitals were hit with a series of cyberattacks. Singla almost immediately began emailing clients and prospects, offering his company's services and citing the attacks as an example of mounting cyberthreats in the area.
But Singla was the mastermind behind the attacks and according to federal prosecutors, they were just a ruse to help him drum up business for his company.
Singla, who on Friday was still listed on LinkedIn as COO of Securolytics, entered a guilty plea on Thursday in a Georgia federal court to one count of intentional damage to a protected computer in a "series of intrusions" in September 2018 affecting two hospitals of Gwinnett Medical Center in Duluth and Lawrenceville, Georgia. The medical center has since been renamed Northside.
Under the plea deal with the Department of Justice, Singla agreed to pay nearly $818,000 in restitution to the medical center and its insurance company in costs associated with the incident.
Singla had faced a maximum sentence of 10 years in prison but under the agreement, the DOJ said it would recommend to the court that Singla be sentenced to 57 months of probation, including home detention.
The plea deal said incarcerating Singla would interfere with medical care he needs for "a rare and incurable form of cancer" and a "dangerous" vascular condition.
Singla's sentencing is slated for Feb. 15, 2024.
Federal prosecutors in the case filed an 18-count indictment against Singla in 2021.
In March, the federal judge overseeing the case rejected recommendations by an Atlanta magistrate judge to dismiss criminal charges against Singla.
Hack Details
According to the plea agreement, Singla on Sept. 27, 2018, knowingly transmitted a command that resulted in an unauthorized modification to the configuration template for the ASCOM phone system at Gwinnett Medical Center's Duluth hospital campus.
As a result, all of the Duluth hospital's ASCOM phones that were connected to the phone system during Singla's transmission were rendered inoperable, and more than 200 ASCOM handset devices were taken offline, the court document says.
Those phones were used by Duluth hospital staff, including doctors and nurses, for internal communication, including for "code blue" emergencies. The ASCOM phones were used to place calls outside of the hospital, the court document says.
On that same day, Singla - without authorization - obtained information including names, birthdates and the sex of more than 300 patients from a Hologic R2 Digitizer connected to a mammogram machine at Gwinnett's Lawrenceville hospital campus, the document says.
The digitizer, which was accessible through Gwinnett's virtual private network, was protected by a password. Singla did not have permission to access or obtain the information on the device, the court document said.
Also on Sept. 27, 2018, Singla knowingly sent a command that resulted in the printing of a file named Baidu.txt that caused more than 200 printers at Gwinnett's Duluth and Lawrenceville hospital campuses to print information relating to the name, birthdate and sex of patients, obtained without authorization from the digitizer, interspersed with the message 'WE OWN YOU,'" the court document says.
"The defendant intended to cause the printers to print the Baidu.txt file and knew he was not authorized to do so," the plea agreement said. "The printers were used in connection with patient care and the messages printed on the computer had the potential to cause fear among medical staff and impair the provision of hospital services."
A few days later, on Oct. 2, 2018, Singla "caused" a Twitter account - @baidu325017231 - to post 43 messages claiming that Gwinnett had been hacked. Each of the 43 messages contained the name, birthdate and sex of a patient, which Singla had obtained from the hacked digitizer, prosecutors say in the plea document.
Soon after the incident, Singla "attempted to create and use publicity about the attack" in an effort to generate business for his company, including emails to potential Securolytics clients offering the firm's services and mentioning the recent Gwinnett incident, the court document said.
"The Defendant's computer intrusions affecting the Gwinnett's ASCOM phone system, printers and digitizer, including the defendant's related course of conduct, resulted in financial harm to the medical center in the amount of $817,804.12," the court document said.
The medical center did not immediately respond to Information Security Media Group's request for comment and neither did Securolytics nor an attorney representing Singla.
The Justice Department declined ISMG's request for comment on the plea and for clarification about the relationship - if any - between Singla's company and Gwinnett Medical Center at the time of the attack.
Blurry Lines
While the Singla case appears to fall outside the realm of most data breaches that involve malicious insiders or external cybercriminals, the incident highlights important evolving security considerations, some experts contend.
"This is a pretty unusual case, but it's an example of an increasing issue in the cybersecurity world in general - where the line between some of the good guys and some of the bad guys is getting pretty blurry," said privacy attorney Kirk Nahra of the law firm WilmerHale, who is not involved in the Singla case.
"This idea of 'security breaches as marketing' is pretty out there, but we see similar issues from security 'researchers,' for example, where they are offering to help when they may in fact be the cause of the problem," Nahra said.
It's "just a continuing part of the need for evolving thinking constantly on how to prepare for and respond to cyber breaches," he added.