Hackers encrypted Suffolk health department data, report says

Forensic investigators probing the September ransomware attack on Suffolk County found evidence that hackers encrypted data and left ransomware notes on the Department of Health computer network, although Suffolk said there is no evidence “thus far” that personal data was stolen.

In a report from Unit 42, a division of Palo Alto, the company that provided firewall and other network protection services to the county in advance of the attack, investigators also said they found evidence that the hackers “staged and exfiltrated,” or exported, data from the county clerk’s network, as well as Suffolk’s main parent network.

Security experts say health data tends to be among the most highly sought by ransomware attackers and other hackers, in part because it often is rich with personally identifiable information. By encrypting data, the hackers blocked the county from access to it.

Suffolk spokeswoman Marykate Guilfoyle said the county’s Department of Information Technology and its incident response team are “coordinating closely” with County Clerk Vincent Puleo and “will notify any individuals if it is determined that their personal identifying information may have been impacted.”

Suffolk has already acknowledged the Social Security numbers of up to 26,000 employees may have been exposed and that personal information of up to 470,000 people was “accessed or acquired” from the county’s Traffic and Parking Violations Agency server.

In the past, when the county has found that infiltrators compromised data by so-call exfiltration, or stealing and exporting copies, the government moved to alert those whose data may have been compromised. It is providing a free one-year subscription to a credit-monitoring and ID theft protection service from security firm Kroll (suffolkcounty.kroll.com). Word of the encrypted health department servers and exfiltrated clerk data appeared in the final pages of the three-page Unit 42 report.

The report stopped short of saying data had been exported from the health department site, which includes information from a broad array of county services. The pared-down Suffolk County government website lists behavioral health services, classes for diabetes prevention and tobacco cessation programs, wastewater matters and restaurant inspections as among numerous areas overseen by the health department.

In the report, investigators noted that they’d detected evidence that compromised connections used by the attackers made “lateral movement” to the Department of Health and the Sheriff’s Department networks.

“Up to Sept. 8, 2022, the threat actor staged and exfiltrated data from both the county and clerk [network] environments,” the report states. On the day of the attack, they wrote, “ransomware encrypted files and left ransom notes in the county, clerk and health environments.”

Guilfoyle, the Suffolk spokeswoman, said the forensic analysis “thus far has not provided any evidence that data was exfiltrated from impacted servers” in the health and sheriff departments.

“Additionally, at this time we have not identified any personal identifying information that was exposed on impacted servers within the health and sheriff's department,” she said.

Guilfoyle, who noted the forensic assessment is ongoing, declined to say what type of data is contained on the health department networks. Nor would she say what specific findings led to the conclusion that data that had been encrypted on the health department network had not been exported.

Michael Nizich, director of the Entrepreneurship and Technology Innovation Center and computer science faculty member at New York Institute of Technology, said it’s not clear how investigators could know for sure if the data was not stolen, given that the hackers had access to be able to encrypt it. He said wording in the report wasn’t clear enough to draw conclusion one way or another.

“If [attackers] exfiltrated data from the clerk and county, why do we think that the health environment is different?” he said. “It’s possible they didn’t take any health data, but I don’t see how you can assume that.”

Nizich said people whose data may be on any of the identified servers should probably operate as if it’s been viewed and sign up for ID theft protection and block new credit signups through the credit monitoring services, as he’s done.

Like other experts in a Newsday story last year, Nizich questioned the independence of the Palo Alto report, noting the investigation is “supposed to be an outside audit, it’s not supposed to be an audit by the company that was supposed to protect you.”

By Mark Harrington

mark.harrington@newsday.comMHarringtonNews

Mark Harrington, a Newsday reporter since 1999, covers energy, wineries, Indian affairs and fisheries.