Two Agencies Grapple with Cyberattacks

By Dara Kam, The News Service of Florida

TALLAHASSEE — More than three months after a computer system serving as a backbone of the Florida Department of Juvenile Justice was hacked, many contractors providing services to at-risk and troubled youths remain unable to access the network.

Efforts to bring the network back online were still ongoing as the state was hit with a second cyberattack that resulted in outages of the Florida Department of Health’s Vital Statistics System. The statewide system is used to process birth and death certificates, among other records.

Reports that cyber-thieves RansomHub had hacked into the vital statistics system began circulating July 1 on social media. The hackers threatened to release health department data on the dark web if the state did not pay an unspecified amount of money by last Friday. Florida law prohibits state and local governments from paying ransom for cyberattacks.

The interruption of the vital statistics system has put funerals on hold and created financial issues for people who need death certificates to process bank account changes, make insurance claims or seek updates to Social Security benefits.

The health department “is coordinating with law enforcement and all relevant stakeholders” and is “working diligently to resolve the temporary outage” affecting the system, agency spokeswoman Jae Williams said in an email Tuesday.

“To facilitate continued operations of death certificates, the department has worked closely with funeral homes and health care facilities to implement offline procedures during this period. These instructions have been provided to all licensed funeral directors statewide. In addition, all county health departments have been provided the necessary resources to issue death certificates offline during this time,” Williams wrote.

Health officials also are asking for help from health-care facilities and physicians “to expedite hand-signed death certificates,” the email said.

“This collaboration across all partners will assist families in navigating difficult times with minimal disruption,” Williams added.

State Surgeon General Joseph Ladapo said his agency is “working around the clock” to restore the system and that “the majority” of the agency’s operations and services “remain operational and unchanged.”

County health departments are able to issue copies of birth certificates for babies born before June 28, according to Williams’ email. State health officials are working with hospitals to manually process birth certificates for births on or after June 28.

The Vital Statistics System incident occurred about three months after a cyberattack on the Department of Juvenile Justice network, known as the Juvenile Justice Information System. The agency confirmed this week that the network remained inaccessible for many contractors, who handle the bulk of services provided to at-risk and troubled minors, but was up-and-running for agency employees.

“On March 29th, the department was made aware of a potential cybersecurity incident and proactively brought its systems offline in an abundance of caution, as is often the standard practice. The department has been strategically bringing systems back online in phases to ensure the security and integrity of our data systems. All DJJ-staffed sites have access to the Juvenile Justice Information System with partners’ access in the coming days,” agency spokeswoman Amanda Slama said in an email.

The network includes detailed data about children who have been referred to the Department of Juvenile Justice, including health records, risk assessments, service plans and referrals for mental-health services. Service providers have been documenting work on paper while the system has been offline.

“I think, in this situation, three months is too long,” Aaron Ward, chief information security officer for iVenture Solutions, a Florida-based information-technology and cybersecurity company, told The News Service of Florida on Wednesday. “Something is wrong. … This is not a good look for Florida. This is not a good look for cybersecurity or IT professionals in general.”

Ward’s company, which specializes in small- and medium-sized businesses, is not involved in addressing either of the attacks on the state systems.

Hacks such as the one that hit the health department usually start with what is known as a “business email compromise,” or BEC, Ward said.

“That is such a huge, prominent vector of getting initial access, because it’s low effort on attackers, right? They just figure out who they want to attack, use social media, or just normal internet information to get a bunch of email addresses and then flood those email addresses with tricky emails,” he said.

A user clicks on one of those emails, is taken to what looks like a familiar webpage and enters their credentials into what Ward called “an evil portal.”

“So they see the user name and password and, boom, I’ve got access. Then it all depends on the amount of layers of security the organization has to detect threats and things like that,” Ward said. “In my opinion, the biggest bang for buck that organizations can do is end-user awareness training. And I know the state of Florida does that. But I don’t think it’s very effective. I think they’re teaching it wrong.”

Sen. Jennifer Bradley, a Fleming Island Republican who chairs the Senate Criminal and Civil Justice Appropriations Committee, said the Department of Juvenile Justice acted quickly to protect the data in the JJIS system. She said children continued to receive services.

“There’s always more that we can do and I think the technology evolves, but I think we want our state agencies, if they believe that their system has been breached, we want them to take these precautions. We don’t want all the data revealed,” Bradley said in a phone interview. “I’m glad they took the steps that they did to protect the information, to protect the system. … Certainly, everyone wishes it could happen a lot quicker.”