Please ensure Javascript is enabled for purposes of website accessibility

Md. health department website shutdown was ransomware attack, officials say

ANNAPOLIS — State officials confirmed Wednesday that a cybersecurity incident that forced a shutdown of the Maryland Department of Health websites was a ransomware attack.

The announcement was made by the state’s chief information security officer in a briefing with reporters.

“While the investigation is ongoing—and is occurring on a parallel track to our restoration efforts—we can confirm this much today: This was, in fact, a ransomware attack,” said Chip Stewart.

“We have paid no extortion demands, and my recommendation—after consulting with our vendors and state and federal law enforcement — continues to be that we do not pay any such demand,” Stewart said.  “At this time, we cannot speak to the motive or motives of the threat actor. That said, both law enforcement and cybersecurity authorities have observed that health and hospital systems are increasingly being targeted by malicious actors during the pandemic.”

Stewart said the agency also made use of consultants through a cybersecurity insurance policy.

“The companies and personnel provided by the insurance policy are widely regarded as the best in the industry,” he said. “These actions brought all the resources needed to facilitate a comprehensive investigation and secure recovery.”

Stewart’s statement is the most expansive comments made by state officials regarding the Dec. 4 attack.

Gov. Larry Hogan, speaking to reporters Tuesday, teased the announcement. “It’s not a great situation, but it’s a lot better than it could be,” Hogan said.

The announcement comes on the eve of a scheduled briefing with members of a House and Senate committee. The briefing is expected to be closed to the public to prevent the release of information that could further compromise security.

The issue was first discovered early on the morning of Dec. 4, when state employees noticed unusual behavior when a server was not working properly. The issue was initial assumed to be a system malfunction and hardware failure.

The attack forced the state to isolate and freeze websites associated with the department, including the state’s COVID-19 dashboard.

That site was down for nearly three weeks. Some local health officers complained that they were effectively blind for much of December as cases spiked.

When updates resumed, the state reported more than 30,000 cases. The state’s positivity rate jumped nearly 90%.

The attack continues to have lingering effects. State officials initially downplayed reports that the department was replacing computers en masse. Instead, officials said, employees were given loaners as existing devices were scanned and compromised computers wiped and returned to users.

On Wednesday, Atif Chaudhry, health department deputy secretary, told reporters more than 5,000 laptops had been purchased.

“MDH has also ordered additional equipment to implement the Department’s COOP plans and modified business processes.” said Chaudhry. “This includes ordering 2,400 laptops, with an additional 3,000 being ordered this week. Additionally, MDH also ordered mifi devices, printers, and wireless access points to ensure employees have the equipment to do their jobs and continue to provide services to the citizens of Maryland.”