Maryland health agency confirms December ransomware attack

The incident, which had been described as a "network security breach," was in fact due to extortion malware, officials said.
(Getty Images)

The Maryland Department of Health confirmed Wednesday that a cyberattack last month that interrupted several key functions, including its daily publication of COVID-19 statistics, was a ransomware incident.

The attack, which was first detected Dec. 4, when it was described merely as a “network security breach,” resulted in the department’s website being taken offline, a pause in COVID-19 metrics and an interruption in sharing data with local health agencies. In a statement released by Gov. Larry Hogan’s office, state Chief Information Security Officer Chip Stewart said the outages were part of a mitigation strategy designed to isolate affected systems from other state networks.

“At my direction and in accordance with our standard operating procedure for incident response, MDH took immediate containment action by isolating their sites on the network from one another, external parties, the internet and other state networks,” Stewart said. “I want to be clear: This was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat isolation and mitigation.”

Stewart said problems were first detected when an MDH technology worker identified a server that was not functioning properly. An inspection of that server prompted a call to the agency’s cybersecurity office, which eventually worked its way up to Stewart, who said he activated the state’s cyber-incident response plan. Along with Stewart and his colleagues at the Maryland Department of Information Technology, the resulting investigation and mitigation included teams from the Maryland Department of Emergency Management, the Maryland State Police and the National Guard.


Maryland officials have not attributed the attack to any known ransomware actor, but Stewart did say the state has not made any payments to regain access to its systems or data.

“We have paid no extortion demands, and my recommendation — after consulting with our vendors and state and federal law enforcement — continues to be that we do not pay any such demand,” he said.

While MDH says many of the services that were initially knocked offline by the ransomware incident have been restored — including COVID-19 reporting, which resumed Dec. 20 after a two-week lag — the department has only restored 95% of state-level surveillance data.

“We have resumed reporting all of the metrics that are relevant to the current state of the pandemic and that are helping to inform our response,” MDH spokesperson Andy Owen told StateScoop.

Atif Chaudhry, the health agency’s deputy secretary for operations, said again Wednesday that although COVID-19 statistics were unavailable, the ransomware attack did not affect the state’s vaccination and testing functions or the operation of state-run health facilities.


“Without a doubt, one of the department’s mission-critical functions is the state’s ongoing COVID-19 response, and on that aspect we have remained fully operational throughout this incident,” he said.

Chaudhry also said MDH is following a continuity-of-operations plan that’s involved the purchase of 2,400 new laptops — with an additional 3,000 set to be ordered this week — as well as new printers and wireless access points.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts