“Sharon,” a newly minted mental health therapist in Western Maryland, applied for her license with the state in November, sending in the required paperwork and payment.
She was eager to get her new career off the ground, particularly since she has graduate school bills — and other expenses — piling up, and she has clients lined up for counseling sessions.
Days after she applied, on Dec. 4, the state Department of Health was hit by what officials will only describe as an “incident,” generally assumed to be a cyberattack. They have offered few details since, citing the need to protect the ongoing investigation. They have said the impact on daily operations has been significant.
Sharon (who asked to be identified only by her first name) knew about the attack from checking the health department’s website frequently. Still, she said it was frustrating to wait weeks for her license to come through, unsure when — or whether — it would arrive.
“I drained my whole account in December, thinking I’d have a job to go right to — and I don’t, because I can’t until I get this license,” she said on Monday. “I spent six years in grad school to get this degree, and it’s like there are no answers.”
Sharon wasn’t financially destitute, because the institutions where she did her fellowship training kept her on in a support role. But she said the agency’s failure to provide more guidance is difficult on people waiting for their licenses to arrive.
“There are so many people in my boat, not just counseling — from nursing, occupational therapy, et cetera,” she said. “They’re not telling the public what’s going on. … Nobody’s going to be patient for much longer.”
In a posting online, the Maryland Board of Professional Counselors and Therapists called the IT outage a “crisis” — and unlike the health department, it did refer to the event as a “cyber attack.”
“We only regained access to our database at the end of last week,” the board wrote. “After the cyber attack, many of our licensees were not able to renew their licenses because the staff could not update their background check status in the system.”
Andy Owen, deputy director of communications at the Department of Health, said in an email that the state’s independent boards and commissions issue licenses “with their own systems.”
“Since the network security incident, some are using a mix of paper and technology-based processes,” he said. “For example, the Maryland Board of Nursing is developing alternative procedures for candidates for initial licensure as a registered nurse or licensed practical nurse who are affected by temporary system outages.”
Others have not been affected as greatly, he added, such as the psychology board and massage board, which are still processing applications through their website.
License-holders seeking renewals have not been impacted as significantly as first-time applicants. State officials have said that practitioners who sought renewal within two weeks of the end of the 30-day grace period the state offers can continue to practice.
Many people like Sharon are turning to state lawmakers for assistance.
Sen. Cheryl K. Kagan (D-Montgomery), chair of the Senate’s health subcommittee, said she had a constituent “who had a job offer, literally had passed everything, checked all the boxes, submitted her paperwork” — only to be held up by a long delay in obtaining her license.
“She was going to lose access to a job that would help her support her family because someone wasn’t doing their administrative task correctly and in a timely manner,” said Kagan. “That’s a problem that needs to be addressed.”
Two legislative committees — one from the Senate, one from the House — will hold a hearing into the health department’s cyber attack next week.
Although the agency has indicated it needs to discuss sensitive details in closed session, Senate Education, Health and Environmental Affairs Committee Chair Paul G. Pinsky (D-Prince George’s) said it’s important that the public gain as full a picture as possible.
“We’re going to try to keep as much in public (as we can),” he said. “There are some things they have to respond to and explain and justify. … I also don’t want to jeopardize any security.”
In a December briefing for legislative leaders, top agency officials said they needed to take their computer systems down — and isolate them from the mainframe — to avoid the potential spread of malicious code.
“If you get a cyber attack of some type, it’s going to cause problems,” Pinsky acknowledged. “You can’t control the hacks. … It’s created a problem for a lot of people in a lot of the health occupations.”
In a recent update, Tony W. Torain, executive director of the counselors and therapists board, wrote, “I am pleased to report that our IT staff has been able to create a ‘workaround’ so that we are now able to update the licensees’ files with background check information. The staff is updating that information as quickly as they can but it will take some time to complete the task.”
On Tuesday, Sharon received her license via email.