Services provided by the Maryland Department of Health, such as its public accounting of some key COVID-19 metrics, remain halted in the days following a cyberattack that forced the state agency to temporarily take its website offline.
The department has not updated surveillance data related to new cases and deaths caused by the coronavirus — or the state’s positivity rate and testing volume — since the weekend. On Wednesday, hospitalization reporting resumed, revealing a spike in bed occupancy of 18% in just five days. The number hospitalized — 925 — is the most since early May, according to state data.
The increase in hospitalizations likely can be traced to the surge in coronavirus infections detected in the wake of the Thanksgiving holiday.
The full extent of the cyberattack’s damage remains unclear, but even a small disruption to COVID-19 metrics reporting can have dire consequences for the public and interfere with how people make decisions, health experts said. It also comes as Marylanders remain vulnerable to the virus, which has mutated into a new, potentially more contagious and elusive strain known as omicron that researchers are racing to understand.
That data also is critical for government leaders and hospitals to have so they can respond to outbreaks and implement policy changes as needed, said Crystal Watson, senior scholar and assistant professor at the Johns Hopkins Center for Health Security.
“This feels very nefarious; it’s unfortunate the health department has been put in this position,” Watson said. “If the information is not available there can be delays in response that will increase transmission and cost lives.”
In response to a series of questions about the incident, Andy Owen, a spokesman at the state health department, said the investigation into the attack is ongoing, and the state agency and its partners are collaborating with federal and state law enforcement. The department’s main website is operational again, he said, and officials are working to restore full COVID-19 data reporting “at the earliest opportunity.”
Data related to COVID-19 vaccinations has resumed, he added.
“As previously stated, we have taken certain systems down out of an abundance of caution,” Owen said in an email. “Similarly, we have asked employees to not use state-issued computers. There is no evidence at this time that any data have been compromised.”
Taking systems offline is the “correct approach” in addressing security breaches like these, said Michael Greenberger, director of the University of Maryland Center for Health and Homeland Security, despite the inconveniences it may cause.
“If you know you’re being hacked and you haven’t lost any data, if you stay online, you might lose that data,” Greenberger said in a Monday interview. “If there’s no handle on it, you could end up in a worst-case scenario where the data is locked out, and the person says, ‘if you don’t turn over X amount, we’ll reveal to the world what your medical problems are.’”
Such attacks on Baltimore City government agencies, Baltimore County schools and the Greater Baltimore Medical Center disrupted critical functions and rendered some services unusable for a time in recent years — delaying the collection of bills, canceling online classes, killing phone lines and postponing medical procedures, for example. Another data breach at the University of Maryland, Baltimore led to some students’ private information becoming public on the web earlier this year.
Every state and institution is vulnerable, Greenberger said, so long as private and sensitive information is stored electronically and large transactions are conducted online.
“This is the future of our country,” Greenberger said. “This is the new way of life. It’s the new hand-to-hand combat. It is a daily nightmare.”
The health department’s network breach had ripple effects on smaller local health departments, which are interconnected and have frequent contact with the state agency.
In Baltimore, a spokesman for Mayor Brandon Scott said city employees won’t be able to access state-housed data, limiting its own COVID-related data reporting.
“We are also experiencing non-COVID related data disruptions at this time; principally, unavailability of data for early notification of community-based epidemics, reportable disease investigation, and early detection of suspicious patterns of illness,” spokesman Jack French said in a Tuesday email. “Given MDH’s role as our primary source of disease specific data, as noted above some publicly reported data and analytics will be limited until such time that this suspected system threat is suppressed.”
In Howard County, health department spokeswoman Lisa de Hernández said the agency is experiencing difficulty with issuing death certificates to funeral directors.
“Birth certificate services are still available,” she said in an email. “Our other front-facing services are for the most part up and running as normal.”
And in Harford County, spokeswoman Ronya Nassar said the health department “was affected,” but declined to specify how, and forwarded a reporter to the state agency for more details.
State lawmakers have not been provided with a full window into the incident, despite the effects it’s had on many of their home jurisdictions, said State Sen. Clarence Lam, a Democrat who represents Baltimore and Howard counties.
Lam, also a physician, said law enforcement and consultants may have advised the department to share little about the attack so as to not reveal more about the agency’s vulnerabilities or embolden other perpetrators. Still, he said, the public should know which programs are impacted and where.
“To the extent possible, they need to be able to disclose what they can about services that are integral,” Lam said. “There’s a level of reassuring they need to give to the public, and local health departments, and those utilizing these services.”
Meanwhile, health department employees were instructed Sunday to stop using agency-issued computers and devices and its WiFi service and avoid saving “protected health information” or “personal identifiable information” on personal equipment, according to a staff memo obtained by The Baltimore Sun. Employee-issued cellphones were approved for use, but only if they were not logged into the agency WiFi.
Staffers who work remotely but either don’t have or don’t want to use personal devices were instructed to report to offices and were barred from taking administrative leave. Accrued leave requests were to be reviewed on a case-by-case basis.
The memo acknowledged that partner agencies, including local health departments, were impacted.
Hopkins’ Watson said the security breach might inspire renewed fervor among government leaders to invest in public health, where employees often are under-resourced and ill-prepared to respond to multiple crises at once.
“Public health needs a boost in their data infrastructure,” Watson said. “And so, hopefully the funds for that will come to help health departments across the country.”
Baltimore Sun reporters Meredith Cohn and Christine Condon contributed to this article.