Vikas Singla, the chief operating officer of a network security company based in Atlanta, has been arrested and charged with allegedly hacking a local not-for-profit health care provider in 2018.
Mr. Singla, 45, made his initial appearance in federal court Thursday and was arraigned on 18 counts stemming from what the Department of Justice described as a cyberattack on the Gwinnett Medical Center.
Prosecutors allege the defendant hacked into computers that controlled a phone system and 16 printers at hospitals operated by Gwinnett, which runs facilities in the cities of Duluth and Lawrenceville, Ga.
Mr. Singla, of nearby Marietta, also stands accused of hacking into a computer belonging to the medical center and stealing information “for purposes of commercial advantage and private financial gain.”
“This cyberattack on a hospital not only could have had disastrous consequences, but patients’ personal information was also compromised,” said Chris Hacker, special agent in charge of the FBI’s Atlanta field office. “The FBI and our law enforcement partners are determined to hold accountable those who allegedly put people’s health and safety at risk while driven by greed,” he said in a statement.
The indictment against Mr. Singla alleges that he conducted the cyberattack on Gwinnett on or about Sept. 27, 2018, and that he was aided and abetted by others unknown to the grand jury that charged him.
Gwinnett had acknowledged that it was investigating a “security incident” around the same time of the alleged cyberattack, amid reports that some of its patients’ records had been exposed online.
The indictment charging Mr. Singla described him as the COO of a network security company that caters to the health care industry. That company is Securolytics, according to a LinkedIn profile in his name.
In a since-vanished post that once appeared on the Securolytics site, Mr. Singla wrote in 2017 that internet-connected medical devices are a “top security concern,” Engadget noted in its reporting Friday.
Mr. Single faces 17 counts of intentionally damaging a protected computer and one count of obtaining information from a protected computer, all violations of the U.S. Computer Fraud and Abuse Act.