Two legislative committees that oversee the Maryland Department of Health plan to grill state officials about an attack that disabled the agency’s computers, top lawmakers said on Tuesday.
Gov. Lawrence J. Hogan Jr. (R) has revealed little about the Dec. 4 attack, which has significantly hampered the agency’s operations.
Health department employees initially were told to stay off their computers as a precaution. Although some systems have come back online, the agency has not posted COVID-19 case rates, testing or mortality data since Dec. 3.
Hospitalization and vaccine data are available, as are congregate and school outbreak reports. Maryland is experiencing its biggest spike in hospitalizations since April.
“The governor has been incredibly quiet about this issue,” said Del. Shane Pendergrass (D-Howard), head of the House Health and Government Operations Committee. “The question of how it happened, why it happened, how bad is it — all of those things need to be answered.”
Senate Education, Environment and Health Affairs Committee Chairman Paul G. Pinsky (D-Prince George’s) accused Hogan of being “absent.”
“He’s always out front when there’s good news — even it’s not because of his actions. But when there’s bad news, he’s not in front of the cameras,” the lawmaker said. “They shouldn’t duck this. They should say what the problem is [and] how long it’s going to take to fix it.”
“We know nothing” about the impacts the attack is having, Pinsky added, including whether hackers have sought a ransom payment, a common tactic.
Hogan’s office initially did not respond to requests for comment on Tuesday, and a Maryland Department of Health spokesman declined a request for an interview.
The agency also refused to answer written questions about whether the attack originated overseas, whether a ransom has been requested, whether employees are able to use their government-issued computers, how operations have been impacted, who is handling the investigation, or whether Health Secretary Dennis Schrader intends to testify at the legislature’s hearing.
The morning after this story was initially published, Hogan spokesman Michael Ricci sent a brief statement: “We fully briefed legislative leaders last week, and we will continue to provide information to legislators and constituents to the extent possible without compromising the ongoing investigation.”
At a press conference last Thursday, Hogan said, “Our system was compromised, but at this point it appears to be much, much less intrusive and with a much better outcome than we were afraid might be the case.”
“We don’t believe that any data was sacrificed, and I think they’re digging into it and getting into the problem,” he added.
On July 1, the state reported 97 COVID patients in Maryland hospitals. On Tuesday, there were 1,173, the most since April 22.
Anne Arundel officials reported Tuesday that there are 84 COVID patients in county hospitals, up from approximately 40 last week.
“It is concerning to have a doubling of our hospitalization in the last week and not know what our case rates look like right now,” County Executive Steuart Pittman (D) told reporters. “Not knowing what’s going on with the case rates means that [hospitals] can’t project what their hospitalization rates are going to be in two weeks.”
Most of Anne Arundel’s sickest COVID patients had not been vaccinated, Pittman said.
Anne Arundel Fire Chief Trisha L. Wolford said hospitals are “absolutely struggling” — as are her paramedics.
“The waits are incredibly long,” she said. “When they’re at the hospital for multiple hours, it’s heartbreaking that they can’t be out in the community.”
Wolford urged unvaccinated residents to “do the right thing for your community and your neighbors” by getting their shots.
In a statement, state health department spokesman Andy Owen said the agency “took down certain systems out of an abundance of caution following the recent network security incident.”
The agency’s priorities are “gaining full visibility into the affected network infrastructure,” bringing systems back online, and restoring full COVID-19 data reporting capabilities, he said.
Pendergrass has scheduled a hearing into the computer attack for Thursday, Jan. 13, the first full day of the legislature’s 2022 session. She and Pinsky have agreed to hold one together but Pinsky wants to hold it in December.
Regardless of when lawmakers hold their hearing, “the governor will not likely take responsibility for this, nor will anyone else,” Pendergrass said. “The administration is not ever very forthcoming about anything, in particular the Health Department.”
By Bruce DePuyt