Attack on Health Dept. Computers Was “Ransomware,” Hogan and Cyber Czar Acknowledge
Gov. Lawrence J. Hogan Jr. and top Maryland Department of Health officials acknowledged for the first time Wednesday that the perpetrators of the attack on the agency’s computer system sought a ransom payment from the state.
The state has not paid those responsible for the attack, Hogan (R) said.
“Unlike Texas and I think a couple of other dozen states, we haven’t lost hundreds of millions of dollars, and we haven’t compromised millions of peoples’ data,” he said. “But it’s a big issue. It’s a ransomware attack and they’re targeting health departments across the country.”
Prior to Wednesday’s announcement, officials would only refer to the Dec. 4 attack on the agency’s network as an “incident.” On Wednesday morning, Maryland Matters published a report on the broad impacts the outage continues to have on the state health department and the 24 local health departments who work closely with MDH.
“While the investigation is ongoing — and occurring on a parallel track to our restoration efforts — we can confirm this much today: this was, in fact, a ransomware attack,” said Maryland Chief Information Security Officer Chip Stewart in a statement. Stewart described the unidentified attackers’ demand as “an extortion payment.”
Ransomware attacks, which frequently originate overseas, prevent government agencies and businesses from accessing their own information and data systems until the entity under siege makes a payment.
Stewart said that the state has not made any such payment and, at his recommendation “after consulting with our vendors and state and federal law enforcement, will not be doing so.”
Law enforcement and cybersecurity authorities have observed that health and hospital systems are increasingly being targeted by malicious actors during the pandemic, Stewart said.
For nearly six weeks, the Department of Health and local health authorities have been struggling to recover from the ongoing repercussions of the attack. Hogan and state health and cybersecurity officials have been tight-lipped about the investigation.
Atif T. Chaudhry, the deputy secretary of operations for the Department of Health, said that the agency and the Department of Information Technology are working closely to resolve the remaining problems caused by the attack, and are coordinating with the federal government.
Stewart said Wednesday that “to this point” in the ongoing investigation, there has been no evidence that state data was compromised.
On Thursday, the House Health and Government Operations and Senate Education, Health and Environmental Affairs — along with the Joint Committee on Cybersecurity, Information Technology and Biotechnology — will hold a hearing online at 1 p.m. to learn more details about the attack. Some of the hearing could be held offline, to avoid the release of sensitive details.
Detailing what happened
According to Stewart, the Department of Health’s network team detected a malfunctioning server in the early hours of Dec. 4 and immediately began troubleshooting the problem.
After identifying issues they felt warranted deeper investigation, the problem was passed on to the agency’s IT Security Team which alerted the chief information security officer for the Department of Health, Stewart said.
He was notified shortly after and launched the state’s cybersecurity incident response plan, which triggered alerts to Maryland’s Department of Information Technology, the Department of Emergency Management, the State Police, the Governor’s Office of Homeland Security and the Maryland National Guard.
Stewart said that he also notified the FBI and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and activated Maryland’s cybersecurity insurance policy through the state treasurer’s office. The insurance policy allows outside resources to advise the state on its recovery process.
At this point, Stewart said, the agency’s websites on its network were ordered to be isolated from each other, other state agency sites and the internet as a whole.
He said the network isolation has continued to render some systems unavailable.
“I want to be clear: this was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat of isolation and mitigation,” Stewart said.
Since the attack began, some public-facing databases — notably the state’s COVID-19 data dashboard — have come back online.
Many others, including resources that report communicable disease data and lab results and systems that support participants in Maryland’s AIDS Drug Assistance Program, are still not operational, sources told Maryland Matters.
Stewart warned against recovering services too quickly, which can lead to agencies needing to restart recovery efforts multiple times.
“I cannot stress how important this point is — in order to protect the state’s network and the citizens of the state of Maryland, we are proceeding carefully, methodically, and as expeditiously as possible, to restore data services,” he said.
In the meantime, Chaudry said that the Department of Health’s business units have been operating on continuity of operations plans to allow its programs to keep “performing essential functions in the event of an emergency or interruption of services — such as an attack.”
According to Chaudry, continuity of operations plans were implemented on Dec. 4. The agency has since prioritized certain functions.
“In this instance, we are using a tiered system that is focused on mission critical and life-safety business functions,” Chaudry said. “This prioritization of the Department’s affected functions has led to the development of a Critical Path for recovery and bringing systems back online.”
Union officials have blown the whistle, saying that their members employed through the Department of Health have been without their work computers since the attack began.
According to Chaudry, agency employees have been using Google Workspaces to share and save files online, and the department has procured printers, wireless hotspots and 2,400 laptops with plans to secure 3,000 more.
Hannah Gaskill
Reporter
Hannah Gaskill was a reporter for Maryland Matters. She left the publication in May 2022. Gaskill received her master’s of journalism degree in December 2019 from the University of Maryland. She previously worked on the print layout design team at The Diamondback, reported on criminal justice in Maryland for Capital News Service and served as a production assistant for The Confluence — the daily news magazine on 90.5 WESA, Pittsburgh’s NPR member station. Gaskill has had bylines in The Baltimore Sun, The Washington Post and The Chicago Tribune, among other publications. Before pursuing journalism, she received her bachelor’s of fine art degree from Carnegie Mellon University in 2016. She grew up in Ocean City.
Bruce DePuyt
Reporter
Bruce DePuyt is a contributor to Maryland Matters, where he was a full-time reporter until December 2022. Previously, DePuyt spent nearly three decades on local television, including 14 years as producer and host of “NewsTalk” on NewsChannel 8 in the Washington, D.C., region. He was a reporter and anchor on “News 21” in Montgomery, where he also served as producer and host of “21 This Week.” He then became a reporter and anchor at NBC affiliate WVIR in Charlottesville, Va. He appears occasionally on WTOP (103.5 FM), WAMU (88.5 FM) and MPT.
Related Articles
U.S. Rep. David Trone (D) has spent almost $42 million of his own money so far, while Prince George’s County Executive Angela Alsobrooks (D) and former Gov. Larry Hogan (R) have raised money at a fast clip.
Young conservatives who favor acting to combat climate change may seek guidance from the former governor’s environmental record.
Hogan’s bid in Maryland a headache for national Democrats, who may need to spend to defend a seat that previously seemed out of reach for the GOP.
Creative Commons Attribution