State officials Monday provided some additional details about a cyberattack that has crippled some websites operated by the Maryland Department of Health but shed no further light on what caused the incident.
The new information was part of a 15-minute phone briefing Monday with reporters that came as the department provide some of the first data on COVID-19 cases in the state in 17 days. Those updates show that the state added more than 30,000 cases and the positivity rate jumped nearly 90%.
“We are making good progress bringing systems back online as safely and quickly as possible,” said Chip Stewart, chief information security officer for the state.
In recent days the state has been able to bring the health department’s main website back up. Stewart added that Medicaid operations, including eligibility and provider payment services, are available. The state can now issue birth and death certificates.
“We are working around the clock to provide full functionality,” Stewart said.
Officials could not provide a list of services that are still unavailable but said “virtually all functions of (the health department) are able to be accomplished by workarounds.”
Monday afternoon the state published its first update of COVID cases, though some information — including deaths over the last 17 days — lags.
“This incident is not affecting the state’s ability to test for the disease, administer vaccines or facilitate any of the steps of our coordinated COVID response,” Stewart said during the briefing.
Stewart added that he has briefed legislative leaders, the comptroller, attorney general and some other state officials.
Some local health officers and county officials have complained that the lack of data has made it difficult to know the full extent to which the disease is spreading in their counties or to project future hospitalizations.
“We continue to report what we need to report to the state,” Baltimore County Health Officer Dr. Gregory Branch, told reporters early Monday afternoon. “We’re not getting a lot of information back in any type of aggregate form, and we’re waiting for that.”
On Monday, the department reported 621,220 cases of the virus, an increase of 28,541 new cases since the last report on Dec. 4. At that time, the state reported a positivity rate of 5.43%. That rate is now nearly 10.5%. The state has not updated the number of virus-related deaths since Dec. 4.
“Our teams are working around the clock right now to restore all of the data,” Stewart said. “That’s all I can really say about our timelines at this point.”
Health officials on the call said the plan is to publish daily data dating back to the day of the attack. No timeline was given other than “the near future.”
The exact cause of the outage remains unclear, and state officials declined to discuss it, citing an ongoing investigation.
Stewart said the issue was first discovered early on the morning of Dec. 4, when state employees “noticed unusual behavior when a server was not working properly.” The issue was initial assumed to be a system malfunction and hardware failure.
Later that morning, state cybersecurity officials discovered the incident was related to a “cybersecurity incident.”
“At my direction, MDH took immediate containment actions by isolating each of their sites on the network from one another, other state sites and the internet as a whole,” Stewart said. “As a result of this containment approach, some services are still unavailable. This was an intentional and responsible thing to do with regard to threat isolation and mitigation.”
Stewart said a forensic investigation is ongoing, but there was no evidence of unauthorized access to “any data.”
Officials are declining to characterize the nature of the attack and have neither confirmed nor denied that it was related to a ransom demand. Stewart said an “ongoing criminal investigation” limits what he can say about the incident.
“I hope that the public understands that,” he said.
In calls as recent as Monday, state health department officials have told contractors to be wary of emails sent from the health department and that state employees are having computer equipment replaced.
“The laptops are all being scanned to ensure their safety,” said Lance Schine, deputy secretary of the Department of Information Technology and state chief technology officer. “If we find that one was affected, we will clean it and restore it to the employee. In the meantime employees are being given loaner computers so they can continue their work.”