Hawai'i Health Department resolves website defacement, claims no data exposed

The Hawai'i State Department of Health has resolved a website defacement incident, perpetrated by a cybercrime group. The department has stated that the hackers did not gain access to any other government systems during the breach.

The incident revolves around the website healthybydefault.hawaii.gov, a platform created by the Hawai'i State Department of Health to adhere to a 2020 state law mandating that healthy beverages should be the default option in children's meals. On August 31, the website's usual appearance was replaced with a message from the Ransomed group, claiming to have stolen data and urging the Hawai'i government to contact them via an email address provided.

Hawai'i Department of Health confirmed the defacement. The affected website was in a pre-launch status and contained only test data. The incident appeared to be isolated to the healthybydefault.hawaii.gov site, with no identified impact on other DOH websites currently in production. No protected health information was being collected or stored through the affected website.

No details are disclosed about the vector of attack and the way the attackers managed to get access.

The website primarily an oversight interface function, requiring all restaurants that offer children's meals with a beverage to complete a certification form on this platform. A static version of the website with limited functionality had been restored while an investigation was underway, and additional corrective actions were being considered.