JANESVILLE — In a report to the county board, Rock County Information Technnology Director Dara Mosely and Corporation Counsel Richard Greenlee said they have been investigating the September ransomware attack that affected county offices.
Greenlee said with the county acting as a hybrid organization, some files are protected by the Health Insurance Portability and Accountability Act, also known as HIPAA. As a result, not only would the access have been unlawful, there was also unauthorized access to health information that would have prompted notifications to people in those files and the U.S. Department of Health and Human Services. It is unknown whether or not the actor took health information.
Greenlee told the county board Nov. 16 that there are three steps involved following a cyber attack regarding health information. The county, he said, is wrapping up the first stage, which is the investigation. He said the county has a “pretty good idea” of what systems were accessed.
The next step is the data review, which will be sending out information collected in the investigation process to a data mining company to see what was taken. The last step is the notification process of what personal information was subject to the breach.
Mosely said it was a “double extortion attack,” which is when an attacker infiltrates sensitive data and encrypts it, making it easier to get ransom money. The request, from what he called an “organization,” was for $1.9 million.
The county was able to restore its system without having to pay the ransom, Mosely said.
After the attack was discovered, county officials disconnected its network from the internet on Sept. 30 to halt the threat. Triage started Oct. 1. Since then, there have been no further malicious actions related to this attack or others, Mosely said.
The county has 150 servers, of which 32 were affected. Two laptops were affected. Mosely said the areas that were “most affected” were the Public Safety, Human Services, Medical Examiner’s offices and IT’s internal systems. Most affected systems have been restored, Mosely said. However, some still haven’t, including a Human Services access database and a system at the Rock Haven skilled nursing facility.
Mosely didn’t say how the actor gained access, but he said access was not gained via email or user interaction.
Greenlee said he spoke with the FBI and the attack was still under federal investigation.
Communication with the public
Rock County Administrator Josh Smith said he, Greenlee and Mosely felt it was the best course of action to shield the public and supervisors from knowing details about the cyber attack.
“Sometimes open meetings law is outdated … so we didn’t come to you in closed session,” Smith said. “So, the first principle was limiting information to be made available publicly was the best response as the response was unfolding.”
Smith told board members that he, Greenlee and Mosley assumed that the actor was monitoring local media or the county for what was being said. They didn’t want to risk information being used as “leverage,” he said.
“What we also couldn’t do under best risk analysis strategy in the best interest of the organization (county) is put out information that we did not know if it would go out in the media or if it would end up on social media. We were entrenched a bit. We had a lot of lawyers advising us on this as well. It wasn’t just Rich making up all this stuff, which he is very good at,” Smith said.
Smith also said county officials are still trying to mitigate risk from the attack, particularly financially. He also told the board that officials will not name the actor, actors or entity behind the attack.
“Even though information is circulating we have made a decision not to publicly name the threat actor because we don’t want to add to the internet ecosphere any other connections that people could connect dots that could negatively affect the county,” Smith said. “It’s a risk mitigation strategy even though I know it might seem silly to you. ‘It’s out there.’ Well, it’s not out there for everybody. It’s out there for some people. If we talk about it, it will be out there for more people.”
Sign up for our Daily Update & Weekend Update email newsletters!
Get the latest news, sports, weather and more delivered right to your inbox.
