Maryland Health Department Confirms Attack Was RansomwareMeanwhile, Specialty Pharmacy in Florida Faces Lawsuits Following Hack
Maryland officials have confirmed that a December cyberattack on the state's health department, which is still disrupting some services that were taken offline during recovery, involved ransomware. Officials say the state has not paid a ransom and has activated its cyber insurance policy.
Meanwhile, at least two proposed class action lawsuits have been filed in a Florida federal court against Altamonte Springs, Florida-based BioPlus Specialty Pharmacy Services in the wake of a cyber incident detected in November - also allegedly involving ransomware - that compromised the protected health information of at least 350,000 individuals.
Maryland Health Department Attack
In a statement Wednesday, Maryland CISO Chip Stewart confirmed that a cyberattack on the Maryland Department of Health, discovered on Dec. 4, involved ransomware (see: HHS Warns Healthcare Sector of Pysa Ransomware Threats).
"We have paid no extortion demands, and my recommendation - after consulting with our vendors and state and federal law enforcement - continues to be that we do not pay any such demand," he says.
"At this time, we cannot speak to the motive or motives of the threat actor."
Maryland's health department isolated and contained its systems within several hours of first detecting the incident, and the investigation so far has found no evidence of unauthorized access to or acquisition of state data, Stewart says.
During a hearing on Thursday with Maryland legislators, Stewart said the ransomware incident was followed by an attempted - but "unsuccessful" - distributed denial-of-service attack that investigators believe was launched by different adversaries.
Stewart says that during the early morning hours of Saturday, Dec. 4, the health department’s network team identified a server that was not working properly. The team immediately launched an investigation to determine the cause of the technical issues, he says.
Through routine troubleshooting, the team members identified activities that they felt warranted escalation to the internal health department IT security team. Shortly after that, the network team alerted Stewart of a suspected ransomware attack. "I was notified shortly thereafter and activated the state’s cybersecurity incident response plan through the Maryland Security Operations Center," Stewart says.
This triggered a notification to the state’s cyber response team, including the Maryland Department of Information Technology, the Maryland Department of Emergency Management, state police, the Governor’s Office of Homeland Security and the Maryland National Guard, he says.
Stewart says he also notified the FBI and the Cybersecurity and Infrastructure Security Agency.
Cyber Insurance Policy Activated
Stewart says he activated the state’s cybersecurity insurance policy through the State Treasurer’s Office, bringing external forensic resources and advisory resources to help ensure that the department was properly handling the incident.
"[The health department] took immediate containment action by isolating their sites on the network from one another, external parties, the internet, and other state networks," he says.
As a result of the containment approach, some services were rendered unavailable and some remain offline, he says.
"I want to be clear: This was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat isolation and mitigation. We are recovering with deliberate action to minimize the likelihood of reinfection. I cannot stress how important this point is - in order to protect the state’s network and the citizens of the state of Maryland, we are proceeding carefully, methodically, and as expeditiously as possible, to restore data and services."
A notice on the health department's website on Thursday said approximately 95% of state-level surveillance data have been restored and that work continues to reinstate the full COVID-19 dataset. "Our remaining data reports will be updated at the earliest opportunity," the notice says.
Stewart says the state is continuing to harden its IT infrastructure and defenses.
Maryland Department of Health Deputy Secretary Atif Chaudhry, in the same statement, says that immediately following the attack, in accordance with the department’s continuity of operations plan, the department assessed the business functions that had been affected and began to prioritize them.
"In this instance, we are using a tiered system that is focused on mission critical and life-safety business functions. This prioritization of the department’s affected functions has led to the development of a critical path for recovery and bringing systems back online," he says.
The department also implemented modified workflows for business processes in order to continue to provide services, focusing on mission-critical and life-safety services, he says, including Maryland’s previous decision to migrate to Google Workspaces. "This has permitted access to a full suite of tools online unaffected by the incident and allows MDH to continue to collaborate and save and share critical files."
The department has also ordered additional equipment to implement the continuity of operations plans and modified business processes. This includes 2,400 laptops, and an additional 3,000 are being ordered this week, Chaudhry says.
He says the health department also ordered mobile Wi-Fi devices, printers and wireless access points to ensure employees can still perform their jobs.
"We will continue to simultaneously execute our continuity of operations plan and modify processes to perform MDH business functions while working with department of IT and the cybersecurity team we have assembled to complete the investigation and fully restore all systems."
The Maryland Department of Health did not immediately respond to Information Security Media Group's request for additional details, including the amount of ransom demanded, the type of ransomware involved, and the extent of the state's cyber insurance coverage.
At least two proposed class action lawsuits have been filed in a Florida federal court in recent days against specialty drug pharmacy BioPlus.
The company on Dec. 10 reported to the U.S. Department of Health and Human Services that a hacking breach involving a network server had affected the protected health information - including patient names, medical diagnoses, prescriptions and in some cases Social Security numbers - of 350,000 individuals.
At least one of the complaints against BioPlus alleges the incident involved ransomware and data exfiltration. Both allege a variety of state law violations by BioPlus, including negligence in failing to implement adequate and reasonable measures to ensure that plaintiffs’ and class members’ personal information was safeguarded.
The lawsuits seek damages as well as improvements to BioPlus' security practices.
BioPlus did not immediately respond to ISMG's request for additional information about the incident and comment on the lawsuits.
Digging Into Cybercriminals' Minds
Some experts say the surge of ransomware and other cyber incidents in the healthcare and other sector - especially during the pandemic - not only highlights the necessity for organizations to implement stronger security defenses, but also spotlights the need for more in-depth study into evolving cybercriminal motivations and behaviors.
"Is there some opportunity in learning more about how these threat actor operate in order to put into place better defenses?" Stan Mierzwa, director of the Center for Cybersecurity at Kean University in Union, New Jersey, asks.
"I hope in the next year and next several years there is greater research into cybercrime," including the gleaning of lessons that can be disseminated to potential victim organizations to help them harden their defenses, he says.