State health and cybersecurity officials misled legislators about the cause of a website shutdown at the Department of Health, according to one top lawmaker.
Sen. Paul Pinsky, D-Prince George’s and chair of the Education, Health and Environmental Affairs Committee, expressed outrage over new information he said contradicted a briefing last month. Pinsky said he was angered by the department’s announcement Wednesday that the incident was a ransomware attack — information he said officials withheld for more than six weeks.
During a Thursday hearing, state officials softened statements on whether the incident also included a breach of personally sensitive data. They also revealed there was a separate denial of service attack on those same websites that occurred around the time of the ransomware attack,
Lawmakers received a briefing from state officials in late December in which Chip Stewart, the state’s chief information security officer, described the event as a cybersecurity incident.
“You said there was no hack,” Pinsky said to Stewart during the nearly two-hour hearing Thursday.
Stewart told Pinsky the phrase was “the technical definition of what’s occurred.”
“I guess this is where I feel like tearing out what hair I have left,” said Pinky. “When you said explicitly there was no hack, you implied there was no penetration beyond the defenses …You did not use the word ransomware when you briefed the Senate president and speaker of the House. I don’t know if word games were being played as far as this disingenuous presentation, but the two people leading the legislature were misled.”
The contentious briefing with lawmakers comes after weeks of Health Department and state cybersecurity officials refusing to provide details about the attack.
Del. Shane Pendergrass, chairwoman of the House Health and Government Operations, chastised Stewart and others for not providing answers to a list of questions she said would have guided the briefing.
“I’m a little disappointed that we didn’t get answers to our questions in writing and didn’t get told until today that we weren’t getting answers to our questions,” said Pendergrass.
Pendergrass said the questions sent to the department were prepared by her son, Aaron Pendergrass, chief scientist of the cyber operations branch at the Johns Hopkins University Applied Physics Laboratory.
For weeks officials with the Maryland Health Department and the Department of Information Technology as well as Gov. Larry Hogan, declined to characterize the event as anything other than an “incident.”
An angry Pinsky characterized those earlier briefings and other public statements as an effort to “misinform and disinform the public and the legislature.”
“We’ve kept details of what occurred very close to the chest because it’s a criminal investigation and having those details come out could impede our ability to contain and mitigate the incident,” Stewart said.
The issue was first discovered early on the morning of Dec. 4, when state employees “noticed unusual behavior when a server was not working properly.” The problem was initially assumed to be a system malfunction and hardware failure.
The attack forced the state to isolate and freeze websites associated with the department, including the state’s COVID-19 dashboard.
That site was down for nearly three weeks. Some local health officers complained that they were effectively blind for much of December as cases spiked.
When updates resumed, the state reported more than 30,000 cases. The state’s positivity rate jumped nearly 90%.
For weeks state officials would only call the event a cybersecurity incident. Hogan and others refused to answer questions, citing ongoing investigations.
But 24 hours before Health Secretary Dennis Schrader and other officials were scheduled to brief senators and delegates, the department announced the incident was a ransomware attack.
Stewart offered to meet with Pinsky “to go over our definitions that we went through at the beginning of that presentation” with lawmakers in December.
Much of the presentation given to lawmakers Thursday was a recitation of statements read to reporters during a briefing a day earlier.
“Mr. Stewart, I’ve seen enough dancing,” Pinsky said. “I’ve heard 40 minutes of dancing. Apparently, I heard dancing on December 22. The public should expect more than that.”
Pinsky said the explanations call into question the transparency and integrity of state officials.
“The question becomes who should we trust, and can we trust the administration and department in telling them the truth?” Pinsky said.
“We’ve laid out the facts as we’ve seen them,” said Stewart. “I don’t know there is much more we can do.”
“I will reiterate that maybe what you heard in that conversation on December 22 misaligns with what I recall,” Stewart told Pinsky.
Stewart also appeared to change slightly repeated public statements that no data had been accessed in the attack. Those statements were repeated in the briefing. But Stewart softened them when asked to provide absolute assurances that no personal data was accessed.
Stewart said no data had been accessed in systems for which reviews were completed. Not every system, however, had been fully reviewed.
“We don’t have certainty until we conclude our investigation,” said Stewart.
State officials have 60 days to notify anyone affected by such a breach. The clock doesn’t start to run on that until officials become aware that a breach has occurred.
Lawmakers asked if the department could notify the public that they might potentially be affected by the incident that occurred over a month ago as a precaution.
“We’re not required to provide notice unless we find evidence (of a breach),” said Stewart.