An apparent cyberattack downed Maryland’s health department and COVID data. Here’s what we know and don’t know.

We have lifted the paywall on this story. To support essential reporting, please consider becoming a subscriber.

Thank you for supporting our journalism. This article is available exclusively for our subscribers, who help fund our work at The Baltimore Sun.

Earlier this month, the Maryland Department of Health fell victim to an apparent cyberattack that prompted the agency to take some of its servers offline. One result was the department couldn’t update most of the metrics on its COVID-19 data dashboard for weeks.

The state has disclosed few details about what it describes as a “network security incident” first detected Dec. 4, even after it restored on Monday some of the coronavirus data reporting earlier this week.


Some 28,500 Marylanders contracted the virus during the two weeks the servers were offline, according to the state data, backing up public health officials’ warnings of another COVID-19 surge driven by the rapidly spreading and even more contagious omicron variant.

While data on new cases and testing positivity has been restored, other data including deaths and geographic and demographic data for cases hasn’t been brought back.


Officials also haven’t yet explained what caused the cybersecurity breach or the extent of its impacts. A news conference Monday yielded few answers, while a health department spokesman referred a reporter to a page on agency’s website with information about the cybersecurity breach.

Here’s what we know and don’t know:

What happened and when

The health department detected “unauthorized activity involving multiple network infrastructure systems” on Dec. 4, according to the agency’s page. Officials subsequently took some servers offline to protect the network.

A health department spokesman confirmed early on that employees were asked not use state-issued computers.

Chip Stewart, Maryland’s chief information security officer, implemented “an incident command structure with a focus on protecting the MDH network, conducting a forensic investigation, and restoring core services,” the page reads.

An unknown cause

Authorities have not yet described exactly what type of “network security incident” led officials to take servers offline and launch an investigation by the FBI and other federal and state law enforcement agencies.

However, experts told The Sun after the attack that the few details provided could be consistent with a ransomware-style attack.

Ransomware is malicious software that locks users out of files, systems or networks, according to the FBI. Those responsible for introducing the software demand a ransom to unlock or decrypt the files.


“The fact that they’ve disconnected parts of their network, it would seem, from the internet might be an effort ... to get the bad guys out of the system before they can issue the commands to encrypt the data,” said Joe Carrigan, a senior security engineer at the Johns Hopkins University Information Security Institute, in an interview days after the incident.

Data missing from COVID dashboard

For much of the pandemic, the health department’s coronavirus dashboard has provided visitors to the website with insight into the virus’ spread through a variety of tallies, metrics and graphs.

The service was disrupted for more than two weeks after officials detected the breach Dec. 4. Officials managed to report some data, like COVID-19 hospitalizations, which came from another state agency, and vaccinations. Others weren’t updated until Monday.

Since then, the state’s web page with information about the breach said the dashboard reflected 90% of coronavirus metrics. That includes new coronavirus cases, testing positivity rate and testing volume.

The state has not reported new COVID-19 deaths since the breach, along with demographics about those infected and metrics by jurisdiction.

When will it restore “more detailed surveillance” data? “As soon as possible,” the website says.


Health department services affected

The security breach hindered the health department’s capacity to report coronavirus data.

Breaking News Alerts

As it happens

Be informed of breaking news as it happens and notified about other don't-miss content with our free news alerts.

However, many of its other core functions were not affected because the health department utilizes cloud-based services, the page says. It also touted the state’s cybersecurity strategy.

The apparent breach did impact the state health department’s “external partners,” such as local health departments, according to the page.

Authorities have not come up with evidence that any data was lost or compromised, according to the department. Its page says “some MDH servers remain offline out of an abundance of caution while the investigation continues and systems are restored.”

While state lawmakers were thankful the health department restored some of its coronavirus data reporting, they have raised concerns that some of the agency’s other functions were disrupted. The state has not said what has been affected, beyond the website being taken offline after the attack and the pause in COVID data reporting.

State Sen. Katie Fry Hester, who is co-chair of a joint cybersecurity committee, said Monday she’s heard from constituents needing help getting medication through a state HIV program and state hospital employees having to use fax machines to order supplies because email has been down.


Hester, a Democrat representing parts of Howard and Carroll counties, urged the administration of Republican Gov. Larry Hogan to provide more information to the legislature so lawmakers can better help their constituents.

Baltimore Sun reporters Pamela Wood, Meredith Cohn, Christine Condon and Hallie Miller contributed to this article.