Hospital HVAC Hack

Event Year: 2009 Reliability: Confirmed
Country: United States
Industry Type: Other
Description:

A security guard for a Texas hospital was arrested for allegedly breaking into the facility’s HVAC and confidential patient information systems.  Jesse William McGraw, also known as “GhostExodus” was charged with downloading malicious code onto a computer at the Carrell Clinic to cause damage. 

Wesley McGrew, an expert in control safety systems and SCADA security saw screenshots of the hospital’s HVAC system posted online by “GhostExodus”.  The screenshots showed an HMI that gave the user control over many of the hospital’s utilities including pumps and chillers in the operatoring room.  According to court documents, hospital officials had experienced problems with their HVAC units and were confused as to why none of the systems alarms had gone off as programmed.  Screenshots posted by “GhostExodus” showed the HVAC window for the hospital surgery unit.  The test alarm system was switched to “inactive”.

Update 2May2011:  On March 17, 2011, Jesse McGraw who admitted to hacking into the hospital’s computer systems, was sentenced to 110 months on each of two counts to be served concurrently.  In addition, McGraw was ordered to make restitution to the occupants in the building affected by his criminal conduct, specifically the W.B. Carrell Memorial Clinic, the North Central Surgery Center and the Cirrus Group.

Impact:

The hospital experienced problems with the HVAC system.  The attack was a threat to public health and safety.