If you’re in Rock County, Wisconsin, it seems your Information Technology Director and Corporation Counsel do not want you to know certain things about the September ransomware attack — even though people in the rest of the country may already know what they have decided not to tell you. They didn’t even tell your own county board certain details, it seems.
So let’s talk about what they didn’t disclose, because DataBreaches believes that consumers and patients who are victims of data breaches have a right to know and need to know so they can assess their risk and then make decisions on how to protect themselves.
Quotes in the remainder of this article are from an article that appeared in GazetteXtra on November 26. The article began by reporting that Corporation Counsel Richard Greenlee told the county board that in investigating the September cyberattack, they recognized that the county is a “hybrid organization” under HIPAA. That means that some files that the threat actors accessed without authorization triggered notification obligations to individuals and to the U.S. Department of Health and Human Services (HHS).
Greenlee told the county board Nov. 16 that there are three steps involved following a cyber attack regarding health information. The county, he said, is wrapping up the first stage, which is the investigation. He said the county has a “pretty good idea” of what systems were accessed.
The next step is the data review, which will be sending out information collected in the investigation process to a data mining company to see what was taken. The last step is the notification process of what personal information was subject to the breach.
Did he mention that the county was legally obligated to make the notifications to individuals and to HHS no later than 60 calendar days from the date they discovered the breach or should reasonably know they had a breach? Will they meet that deadline? When exactly did they first discover that protected health information was accessed? The 60-day clock started as soon as they realized protected health information had been accessed or acquired without authorization — not after they finished their investigation, but after they first realized they had a breach.
But the main concern is their lack of transparency. Consider the following:
Rock County Administrator Josh Smith said he, Greenlee and Mosely felt it was the best course of action to shield the public and supervisors from knowing details about the cyber attack.
“Sometimes open meetings law is outdated … so we didn’t come to you in closed session,” Smith said. “So, the first principle was limiting information to be made available publicly was the best response as the response was unfolding.”
Smith told board members that he, Greenlee and Mosley assumed that the actor was monitoring local media or the county for what was being said. They didn’t want to risk information being used as “leverage,” he said.
“What we also couldn’t do under best risk analysis strategy in the best interest of the organization (county) is put out information that we did not know if it would go out in the media or if it would end up on social media. We were entrenched a bit. We had a lot of lawyers advising us on this as well. It wasn’t just Rich making up all this stuff, which he is very good at,” Smith said.
So there was no law or policy that required them to reveal information, and they just took it upon themselves to decide what the board and public would be told? Seriously?
According to their own statement, they were looking out for the best interest of the county. What about looking out for the best interest of the patients whose protected health information may have been accessed?
Is keeping people in the dark that their data may have been stolen and leaked on the dark web in the people’s best interest? DataBreaches does not think it is.
Smith also said county officials are still trying to mitigate risk from the attack, particularly financially. He also told the board that officials will not name the actor, actors or entity behind the attack.
“Even though information is circulating we have made a decision not to publicly name the threat actor because we don’t want to add to the internet ecosphere any other connections that people could connect dots that could negatively affect the county,” Smith said.
By September 30, it had already been publicly reported that the threat actor was a ransomware group called Cuba, which is believed to be connected to Russia.
And once again, their rationale was preventing people from connecting dots that could negatively affect the county. Who was worried about negatively affecting the people?
“It’s a risk mitigation strategy even though I know it might seem silly to you. ‘It’s out there.’ Well, it’s not out there for everybody. It’s out there for some people. If we talk about it, it will be out there for more people.”
“More people “– including the victims who need to know to assess their risk.
If they had told those affected that the incident was already listed on the dark web by the threat actors and that there was a download link, would people have had information that might help them decide how best to protect themselves? Even if district personnel and Corporation Counsel didn’t disclose the name of the group, should they have told people that it appeared the stolen data was being leaked and made available to everyone who wanted to download it from the dark web?
The right of people to know what has happened to their information cannot be left to the discretion of local IT people or lawyers who do not have a primary duty to the people who are the victims. This situation demonstrates once again why we need legislation to regulate what gets disclosed to ensure that victims are given all the information they need to assess their risk.
DataBreaches notes that HHS still has an open case involving a previous Rock County breach involving their Human Services Department that affected 25,610 patients.
Image by Freepik.com