Maryland officials confirmed on Wednesday that state’s Department of Health is dealing with a devastating ransomware attack, which has left hospitals struggling amid a surge of COVID-19 cases.
In a statement released on Wednesday, Maryland Chief Information Security Officer Chip Stewart said the attack began on December 4 and crippled their systems.
“We have paid no extortion demands, and my recommendation — after consulting with our vendors and state and federal law enforcement — continues to be that we do not pay any such demand. At this time, we cannot speak to the motive or motives of the threat actor,” Stewart said.
Stewart went on to explain that the health department’s network team noticed a server malfunctioning in the early morning of December 4. They eventually escalated it to the IT security team, which later notified Stewart that it may be a ransomware attack.
The state began its incident response plan, which started with notifying multiple Maryland agencies, the FBI, and CISA. They also brought in outside cybersecurity firms to help with the response.
“MDH took immediate containment action by isolating their sites on the network from one another, external parties, the Internet, and other State networks. As a result of this containment approach, some services were rendered unavailable and some remain offline today. I want to be clear: this was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat isolation and mitigation,” Stewart said.
He defended the decision to keep some services offline, writing that he has seen instances where organizations reconstitute services too quickly.
Multiple news outlets in Maryland have reported that the health department and dozens of local partners have struggled to recover from the ransomware incident over the last six weeks. For weeks, the department was unable to release COVID-19 case rates as the Omicron variant devastated other states. While that service has returned, health officials now have to calculate the COVID-19 statistics by hand.
Governor Lawrence Hogan also defended the state’s response, telling reporters on Wednesday that “unlike Texas and I think a couple of other dozen states, we haven’t lost hundreds of millions of dollars, and we haven’t compromised millions of peoples’ data.”
According to local news outlet Maryland Matters, the number of deaths from COVID-19 was not reported in the state for almost the entire month of December, and the state was not able to issue death certificates for about two weeks. In speaking with health officials and union members about the attack, the outlet discovered that some people dealing with HIV could no longer access the daily medication they need and some hospitals were unable to access bank accounts to cover the cost of basic necessities.
After a visit to Springfield Hospital Center, State Senator Katie Fry Hester told Maryland Matters that officials have restored access to high-profile, public-facing tools but “the stuff behind the scenes that the healthcare workers need to actually do their jobs are still down.”
Other health officials said many of the state’s smaller hospitals were forced to revert back to paper records. Access to critical databases for communicable diseases, lab reports, and more are still down.
Atif Chaudhry, Maryland Department of Health’s deputy secretary for operations, said in a statement that the state has a continuity plan designed specifically for situations like this.
Officials prioritized mission-critical and life-safety services as they worked around the ransomware attack, using Google Workspaces as a tool to “ensure that they can serve the public’s most urgent needs right now and resume their standard level of full service.”
State officials plan to hold a hearing about the ransomware attack on Thursday.