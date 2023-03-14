Island residents weren't the only ones to be kept out of the loop when the island’s only public hospital’s network was breached nearly two weeks ago, putting patients’ private information and health at risk.

In fact, Sen. Joanne Brown, vice chair of the committee on health, and several other senators met with the Guam Memorial Hospital's administration Monday after they learned of the breach on Saturday from Speaker Therese Terlaje, the committee’s chair.

“GMH did provide a briefing on what has transpired and their ongoing investigation that includes … federal authorities with regards to this issue, but we certainly did raise our concern,” Brown told The Guam Daily Post.

Among the concerns was the apparent delay in notification to the GMH’s legislative oversight committee. Brown confirmed the senators received word of the breach through “unofficial channels.”

“This is the first time that we got official word actually of what transpired and what they’re doing to address and correct,” she told the Post.

Although the vice chair did not have all the details regarding the incident, she indicated that when GMH’s network was shut down because of the breach, there was no manual protocol in place to respond and continue operations at the hospital unaffected.

“It’s an ongoing challenge of cybersecurity, but we think more steps could have been put in place to address that,” said Brown, who visited the hospital Monday with Terlaje and Sens. Sabina Perez, Telo Taitague and Frank Blas.

The meeting revealed an apparent lack of hospital protocols to respond to and deal with network shutdowns. Brown, when speaking with the Post said she questioned how the hospital ensured quality care when the information technology that’s relied upon goes down.

Senators also raised concerns over the risk to patients’ lives during a network shutdown. Brown did not share specific details, due to an ongoing investigation, but said “a lot of work” needs to be done by the hospital.

Delayed disclosure

GMH publicly announced the breach occurred and that its systems were shut down Monday in a press release. The statement from the hospital, however, disclosed the breach occurred on March 2, and the shutdown on March 4 - nearly two weeks ago.

According to the press release, at the time the breach was detected Gov. Lou Leon Guerrero, Guam Homeland Security and the FBI were notified immediately.

GMH said the governor activated “the full support of Government of Guam’s resources to return GMHA network and systems to full operation as quickly as possible with enhanced cyber security.”

Nine days after the shutdown, however, basic network and information services remain down. On Monday, GMH stated its phone lines and email system are “being restored,” while its remaining functions, programs and services shut down, which were not disclosed, “are expected to be fully restored soon.”

The shutdown, according to the hospital, was done as a “precautionary measure” to the breach, which it described as “unauthorized access” detected by its IT department. GMH also suspended patient visits for about six days, lifting the suspension Monday evening.

While GMH did not disclose if the breach resulted in data being compromised or taken, its press release stated a determination has already been made that no unauthorized access was made to either its patients’ health information or its employee database.

The hospital thanked government partners and internet service providers for “their assistance in addressing the incursion, and in helping ensure that sensitive patient and staff information remain secure,” and its medical staff for “working through these challenges while maintaining an excellent level of care for our patients.”

But Brown has aired concerns about the timing of the public disclosure, which only came after a weekend report of the breach from Kandit News Group and statements from GMH staff over the breach’s risk to patient care.

“We were a bit concerned also just on how the issue was handled publicly, and I did raise that. I understand they have their ongoing investigation that they need to properly address that. There are probably things they can’t reveal because of their investigations but I think the public did have a right to know the fact that these key operations at the hospital were not available,” Brown told the Post.

Officials mum

GMH did not immediately respond to questions posed by the Post regarding the breach and concerns. Cindy Hanson, the hospital’s spokesperson, said a statement would be issued once updates were finalized on the status of the network system, which could be as soon as Tuesday.

Krystal Paco-San Agustin, the governor’s communications director, told the Post Adelup would not be commenting on the breach either, when reached over the phone.

Similarly, Guam Homeland Security acknowledged questions sent by the Post about its involvement in the response to the breach, including whether it helped determine the safety of patient and employee data - but no response was given as of press time Monday.

There has been at least one recent opportunity where GMH could have, but did not, disclose the breach and its effects on hospital operations publicly.

A previous statement on the hospital suspending visitation shows the hospital chose not to disclose the true reason for the decision.

On March 7, GMH released a brief, four-sentence statement that explained visitations were “suspended until further notice due to ongoing hospital-wide network and systems maintenance and upgrades.”

GMH thanked the public for their “patience and understanding as upgrades are made to improve” the hospital-wide networks and systems, but, failed to mention the March 2 network breach.

By Monday, the hospital admitted the visitations were disallowed because of the breach, and the need to “ensure appropriate dedication of resources.”

The suspension was lifted Monday evening by hospital officials.

AG not notified

Attorney General Douglas Moylan said as far as he’s aware, his office was also not notified of the data breach.

“Their attorney is Jeremiah Luther and is not affiliated with our office. Had we been given authority to represent (GMH) we would have immediately investigated and been in a position to advise (GMH),” Moylan said.

He told the Post that his office should have been notified of the incident, and argued it makes the case for giving the Office of the Attorney General more authority over autonomous agencies of the government, especially given a “whistleblower” reportedly revealed the breach before the hospital did.

“It is only when you have the voters' public prosecutor having direct involvement will potentially criminal matters be quickly addressed, and possibly prevented. When government officials have a watchdog in their midst, the public's funds are best protected,” he said referring to a video clip of a “closed-door meeting” in which a nurse allegedly asserted that patients’ lives were at risk because of the breach.

When asked about the failure to disclose the breach publicly despite being aware of it, Moylan said the decision brings potential liability for the hospital.

“This matter will need to be investigated as to the facts and circumstances surrounding what is unfolding. Whenever government officials act in the darkness of closed meetings, the probability of improper actions increase, as does the need for scrutiny by the AG's office,” Moylan said.

Had Moylan been involved, the approach would have been different.

“The AG's office does not represent any government official and this situation would have been immediately evaluated according to those outside breaking the law, as well as internally for any negligent or criminal conduct done by employees of (GMH),” he said. “As we are an elected office, the possibility of 'cover-ups' is less since we are not part of (GMH) and have no financial incentive to protect anyone in (the hospital). The (attorneys) hired by GMHA have a financial incentive to protect their employment by the hospital administrator and board. The attorney also does not have prosecutorial authority - only civil - and is focused upon protecting (the hospital).”

In contrast, the AG's “duty is to the voters who elected him or her into office,” he told the Post.

‘Operating in the dark’

Brown, in her conversation with the Post, specifically honed in on the lack of communication by government officials.

“Even if they gave their general response as to why, I think that would have been acceptable instead of learning from other unofficial sources. … It just creates more speculation and concern, especially for current patients (and) previous patients (who) don’t know if any of their information could have been compromised,” she said. “Certainly if that was not the case, then let the public know, so we’re not operating in the dark. They should have been a lot more effective in providing that information sooner without compromising any potential investigation that may be happening.”

When the Post informed the lawmaker of the March 7 press release on suspending patient visits, she said not disclosing the breach then amounted to, perhaps, “a misrepresentation of the information to the public.”

“It’s a little more going on than upgrading,” she said.

Acknowledging her benefit of hindsight, Brown stressed not being transparent with the public creates “a lot of room for speculation and distrust.” She said GMH, in this case, “was not forthcoming.”

Brown recalled telling GMH officials she “didn’t feel comfortable” when walking out of their meeting with lawmakers.

She told the Post she isn’t opposed to calling GMH leadership to the Legislature to address how the breach was handled.

“Because it did impact the operations at the hospital, it left speculations out there in the public,” she said, adding there has to be public confidence in the hospital. “There’s no doubt there needs to be a public review about what transpired, just so that the people know and are aware of … whatever corrective steps GMH is making.”

Some of those corrective steps should have already been in place, according to Brown, but they were not when senators visited Monday.

Brown was not given any information on how long it took to begin implementing manual processes.

“While they had their key representatives including from their nursing division, I can’t answer what did the rank-and-file experience as a result of this, I don’t know. That was not presented to us,” she said.