Questions linger after MDH ransomware attack

Heath Renfrow, former chief information security officer for U.S. Army Healthcare, who now works at Conversant Group, told WYPR that he finds it hard to believe no data was lost.

“I have not seen in the hundreds of different incidents that I’ve been involved with, including the restoration effort, where there was not a loss of data,” he said.

Renfrow said it will probably be three to six months before the department is fully operational.

“You never come back completely from an attack like this and get exactly the same situation you were in before the attack,” he said.

He also noted that cost ramifications could be long lasting. The department has bought 5,400 laptops and other devices as part of recovery. Renfrow said those purchases are “surprising” to him because acquiring that much equipment isn’t easy right now, given a shortage in microchips.

“It’s been an indication that they were not fully prepared for a catastrophic event like this because they’ve had to invest so much money in new equipment,” he said.

Renfrow said that he believes having to buy that much equipment means it’s likely protected health information could have been exposed. If that is the case, he said the department may have to report a possible violation of HIPAA law to the Office of Civil Rights before the investigation is over.