More than 20 state lawmakers sought clarity on the ransomware attack on the Maryland Department of Health (MDH) at a joint commission meeting Thursday.
The attack, which forced MDH to shut down its website in December, has had sweeping effects, including disrupting COVID-19 data reporting capabilities and hospital operations as well as delaying funerals.
But representatives from MDH and the Department of Information Technology offered little new information at the meeting, which stretched more than two hours.
Chief Information Security Officer Chip Stewart echoed other department representatives in citing the ongoing criminal investigation into the attack.
“Unfortunately, we can't share any information about when we believe initial access occurred to the network and the time lapse between initial access and deployment of any payloads,” Stewart said.
The health department has stated repeatedly that there’s no evidence yet that personal data has been lost or compromised, but failed to explain how they know this.
Senator Katie Fry Hester, the Chair of the Joint Committee on Cybersecurity, Information Technology and Biotechnology, expressed frustration that many of her questions remain unanswered.
“One, which I have asked and last, again, is how many of the cybersecurity assessments are done? How much is it costing? And what do you need to finish them all by the end of the year?” she asked.
Heath Renfrow, former chief information security officer for U.S. Army Healthcare, who now works at Conversant Group, told WYPR that he finds it hard to believe no data was lost.
“I have not seen in the hundreds of different incidents that I've been involved with, including the restoration effort, where there was not a loss of data,” he said.
Renfrow said it will probably be three to six months before the department is fully operational.
“You never come back completely from an attack like this and get exactly the same situation you were in before the attack,” he said.
He also noted that cost ramifications could be long lasting. The department has bought 5,400 laptops and other devices as part of recovery. Renfrow said those purchases are “surprising” to him because acquiring that much equipment isn’t easy right now, given a shortage in microchips.
“It’s been an indication that they were not fully prepared for a catastrophic event like this because they've had to invest so much money in new equipment,” he said.
Renfrow said that he believes having to buy that much equipment means it’s likely protected health information could have been exposed. If that is the case, he said the department may have to report a possible violation of HIPAA law to the Office of Civil Rights before the investigation is over.