Maryland officials confirmed on Wednesday that the state's Department of Health is dealing with a devastating ransomware attack, which has left hospitals struggling amid a surge of COVID-19 cases.
In a statement released on Wednesday, Maryland Chief Information Security Officer Chip Stewart said the attack began on December 4 and crippled their systems.
"We have paid no extortion demands, and my recommendation -- after consulting with our vendors and state and federal law enforcement -- continues to be that we do not pay any such demand. At this time, we cannot speak to the motive or motives of the threat actor," Stewart said.
Stewart went on to explain that the health department's network team noticed a server malfunctioning in the early morning of December 4. They eventually escalated it to the IT security team, which later notified Stewart that it may be a ransomware attack.
The state began its incident response plan, which started with notifying multiple Maryland agencies, the FBI, and CISA. They also brought in outside cybersecurity firms to help with the response.
"MDH took immediate containment action by isolating their sites on the network from one another, external parties, the Internet, and other State networks. As a result of this containment approach, some services were rendered unavailable, and some remain offline today. I want to be clear: this was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat isolation and mitigation," Stewart said.
He defended the decision to keep some services offline, writing that he has seen instances where organizations reconstitute services too quickly.
Multiple news outlets in Maryland have reported that the health department and dozens of local partners have struggled to recover from the ransomware incident over the last six weeks. For weeks, the department was unable to release COVID-19 case rates as the Omicron variant devastated other states. While that service has returned, health officials now have to calculate the COVID-19 statistics by hand.
Governor Lawrence Hogan also defended the state's response, telling reporters on Wednesday that "unlike Texas and I think a couple of other dozen states, we haven't lost hundreds of millions of dollars, and we haven't compromised millions of peoples' data."
According to the local news outlet Maryland Matters, the number of deaths from COVID-19 was not reported in the state for almost the entire month of December, and the state was not able to issue death certificates for about two weeks. In speaking with health officials and union members about the attack, the outlet discovered that some people dealing with HIV could no longer access the daily medication they needed, and some hospitals were unable to access bank accounts to cover the cost of basic necessities. After a visit to Springfield Hospital Center, State Senator Katie Fry Hester told Maryland Matters that officials have restored access to high-profile, public-facing tools, but "the stuff behind the scenes that the healthcare workers need actually to do their jobs are still down."
See also: Ransomware in 2022? We're all screwed.
Other health officials said many of the state's smaller hospitals were forced to revert back to paper records. Access to critical databases for communicable diseases, lab reports, and more are still down.
Atif Chaudhry, Maryland Department of Health's deputy secretary for operations, said in a statement that the state has a continuity plan designed specifically for situations like this.
Officials prioritized mission-critical and life-safety services as they worked around the ransomware attack, using Google Workspaces as a tool to "ensure that they can serve the public's most urgent needs right now and resume their standard level of full service."
State officials plan to hold a hearing about the ransomware attack on Thursday.
Heath Renfrow, CISO of Conversant Group, told ZDNet that it was "bold" of officials to say the systems were taken offline as soon as the intruder was detected because, typically, hackers spend significant time in a victim's system.
"If the MD Health Department had truly been alerted to the intrusion when it occurred, then their systems should not have been encrypted. I would guess that they were taken offline after the successful encryption of most of their systems and that the encryption stage had already completed what it needed to complete," Renfrow said.
"I would be curious if outside breach counsel has been engaged for this incident, and what the ultimate results of the Data Forensics Incident Response results will show (how the threat actors gained access, what sensitive data could they have touched, and if data was exfiltrated). Health and Human Services Office of Civil Rights will most likely have to be notified of potential Health Insurance Portability and Accountability Act (HIPAA) violations, and possibly notifications sent to the victims of the potential exposure of their personal health information."