‘Who should we trust?’: Lawmakers grill state officials over ransomware attack, mishandled vaccines

Members of three legislative committees grilled Maryland Department of Health officials Thursday. (Screenshot via Zoom)

This content was republished with permission from WTOP’s news partners at Maryland Matters. Sign up for Maryland Matters’ free email subscription today.

State lawmakers slammed officials in the Hogan administration Thursday as they were briefed about a succession of problems the Maryland Department of Health has confronted in recent weeks.

Members of the three legislative panels — the House Health and Government Operations, the Senate Education, Health and Environmental Affairs and the Joint Committee on Cybersecurity, Information Technology and Biotechnology — posed questions to Maryland Department of Health Secretary Dennis R. Schrader and Dr. Jinlene Chan, the agency’s deputy director of public health services, about the mismanaged vaccines administered to 873 Marylanders by a state-contracted company.

The same panels also interrogated top health and information security officials about ongoing agency service outages after a Dec. 4 cyberattack. Citing an ongoing criminal investigation, officials didn’t provide lawmakers with much information.

On the mismanaged vaccines, legislators pushed for answers regarding timelines and oversight of the government contractor TrueCare24.

A whistleblower within the Department of Health brought concerns about TrueCare24’s poor handling of vaccines used at state-run clinics and their inappropriate documentation process forward in July.

But the agency didn’t stop TrueCare24 from hosting vaccine clinics until September.

The CDC advised department officials to begin notifying recipients of the mishandled vaccines on Nov. 10. The agency didn’t begin to send out emails and letters until Dec. 30 — one day after the Baltimore Sun published a report on the problems with TrueCare24.

Del. Terri L. Hill (D-Howard and Baltimore County) told Chan and Schrader that she was confused about the long delay in the time it took to notify vaccine recipients.

“So the analogy is that if my condom breaks, I’m not going to wait and see what happens before I start taking precautions,” Hill said.

Chan and Schrader said they gave the company time to correct its behavior, and pulled the plug as soon as it was clear improvements weren’t being made.

“We quickly took the contractor that we were not satisfied with out of the [vaccination distribution] system,” Schrader said. “What we were slow at was getting the advice from the manufacturers and the CDC and that should have been much faster.”

Sen. Clarence K. Lam (D-Howard), a medical doctor, said he fears TrueCare24 may just be the “tip of the iceberg,” and asked what the Department of Health has done to ensure that other vendors are properly documenting how vaccines are handled.

“​​In speaking with the whistleblower, …it has become clear that there was not much quality control or quality assurance done with regards to these vendors as they were administering the vaccines — that there was really a blind drive to pump up the numbers,” Lam said.

Chan said that the department “took actions” to mitigate TrueCare24’s impact on vaccine recipients as they “learned more about the challenges in their operations.” She said the agency’s clinical team, who work with vaccine clinic providers, “continues to provide oversight” and “any issues that they identify are raised.”

“OK, sounds like it hasn’t been done yet,” Lam responded quietly.

‘I’ve seen enough dancing’

Nearly six weeks after the cyberattack against the Department of Health, the Hogan administration acknowledged Wednesday that the perpetrator sought a ransom payment.

Until this week, tight-lipped administration officials would only refer to the attack as an “incident.”

According to Maryland Chief Information Security Officer Chip Stewart, the state has not made such a payment, and has no plan to.

Senate Education, Health and Environmental Affairs Chair Paul G. Pinsky (D-Prince George’s) grew frustrated with Stewart, saying that he “misled” the General Assembly’s presiding officers at a “disingenuous briefing” on Dec. 22.

“You explained during that briefing there was an incident — an incident, and I underline incident — and that you had removed or closed off the systems to review and protect them as you shared today,” Pinsky said.

Pinsky said he had asked Stewart at the time to clarify that there had been no “hack” to the Department of Health’s network system, and that what had occurred was only an “incident.”

According to Pinsky, Stewart confirmed.

At the Thursday briefing, an exasperated Pinsky said he was trying to understand why Stewart did not inform the presiding officers that this was an act of ransomware.

“I’ve seen enough dancing. You know, I’ve heard 40 minutes of dancing and apparently I heard dancing on Dec. 22,” Pinsky told Stewart. “The question is transparency. And the question is also integrity — and I’m not talking about system integrity, I’m talking about human integrity.”

“The question becomes, who should we trust?” he continued. “And can we trust the administration and your department in telling the truth?”

Stewart said he hadn’t intended to be misleading, and that “incident” was the “technical definition of what’s occurred.”

The attack that took place during the early hours of Dec. 4 has crippled state and local health agencies — so much so that some employees have been without their work computers for over a month and systems that report data on communicable diseases remain offline.

Stewart said the decision to move systems offline was deliberate, and warned that bringing everything back too quickly could cause the agency to restart its recovery efforts all over again.

Atif T. Chaudhry, the deputy secretary of operations for the Department of Health, said different arms of the agency have been able to continue functioning via “workarounds.”

Del. Jessica M. Feldmark (D-Howard and Baltimore County) asked the panel to require a full list of the department’s services and systems derailed by the attack, the status of the workarounds that are allowing them to function, and a timeline for when services will be fully back online.

The attack has also had major implications for health care workers seeking to renew their license or receive one for the first time.

Last week, Gov. Lawrence J. Hogan Jr. (R) issued an executive order to allow inactive health care practitioners provide care without renewing their licenses and let graduate nurses provide care in hospitals and other health care settings.

Lawmakers pressed Schrader Thursday to extend the executive order for a longer period and to include a variety of other health care providers, like social workers — either via legislation or the governor’s authority.

“Right now, I think what you need to do is tell the governor what he doesn’t want to hear, which is: We got a problem, we need to fix it and you have the authority to fix it,” said House Health and Government Operations Chair Shane E. Pendergrass (D-Howard).

Noting that they probably wouldn’t receive more answers because of the investigation, Pendergrass and Pinsky kept the two-and-a-half-hour briefing in public view and out of a closed executive session.

More from WTOP

Log in to your WTOP account for notifications and alerts customized for you.

Sign up