Ransomware, Incident Response, Data Security

Maryland Department of Health confirms ransomware spurred monthlong outage

COVID-19 vaccinations and treatments have continued amid the Maryland Department of Health ransomware attack recovery. But MDH has yet to fully restore surveillance data. (Photo by Win McNamee/Getty Images)

Maryland Departments of Health and Information Technology confirmed the ongoing, monthlong network outages were spurred by a ransomware attack. First detected on Dec. 4, the state has been leveraging its incident response plan and working with the FBI on the investigation.

The state has not paid any ransom demands.

The MDH network team identified a server improperly functioning during the early hours of Dec. 4 and began investigating. In a statement, Maryland Chief Information Security Officer Chip Stewart said the tech team isolated and contained the virus within several hours of detecting the intrusion. 

The latest update shows the team found “activities that they felt warranted escalation to the internal MDH IT Security team,” which was later determined to be ransomware. As previously reported, the tech team took the systems offline to contain the spread of the virus, which has led to a number of service outages and manual reporting of COVID-19 cases.

The “containment approach” took some key services offline that remain offline, while the team continues to cautiously and responsibly mitigate and isolate the attack. The MDH Healthcare System has remained operational throughout the incident.

However, the attack has disrupted services at local health departments, including the Garrett County Health Department.

“In cybersecurity incidents, there can be pressure to reconstitute services quickly, and sometimes too quickly,” Stewart said in a statement. “All too common are stories of organizations that had to restart recovery efforts because of this, sometimes more than twice.”

“We are recovering with deliberate action to minimize the likelihood of reinfection. I cannot stress how important this point is — in order to protect the state’s network and the citizens of the state of Maryland, we are proceeding carefully, methodically, and as expeditiously as possible, to restore data and services,” he added.

The Maryland CISO also set up an incident command infrastructure for investigation and recovery. MDH Deputy Secretary Atif Chaudhry explained MDH has been collaborating with the state’s Department of Information Technology (DoIT) to manage and address all incident-related issues.

The state also activated its cybersecurity insurance policy to bring on “external forensic resources and advisory resources to help ensure that we are handling the incident in the best possible way.” 

As a result, while some systems have been restored, MDH continues to experience disruptions to its operations and COVID-19 data reporting capacity. The investigation has so far found no evidence of data compromise.

Chaudhry explained the recovery efforts are relying on a “tiered system” to first bring back online mission-critical and life-safety business functions. As part of those efforts, MDH is using alternative processes to continue serving the most urgent needs of the public.

Offline systems affect COVID-19 reporting

The most pressing, of course, is the ongoing COVID-19 surge. COVID-19 vaccination and testing services are operating as normal, while vaccine, hospitalization, congregate, and school outbreak data reports are up-to-date.

For most of December, the state’s COVID-19 case numbers were not reported to the public. And now, just 95% of state-level surveillance data has been restored. The tech team is continuing to reinstate the full COVID-19 dataset and the “remaining data reports will be updated at the earliest opportunity.”

MDH has also brought on 2,400 laptops, with plans to procure 3,000 more, as well as mifi devices, printers, and wireless access to points to support business continuity efforts. The state is continuing to harden the IT infrastructure to ensure the systems and data remain secure.

The attack bears similarities to a NetWalker ransomware incident that struck the Champaign-Urbana Public Health District website in early 2020, which rendered system files inaccessible. The tech staff was forced to take the site offline in the wake of the incident, leveraging social media to keep the public abreast of COVID-19 developments.

As for MDH, there is still no clear timeline for when the the entire system will be brought back online.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.