TALLAHASSEE 鈥 More than three months after a computer system serving as a backbone of the Florida Department of Juvenile Justice was hacked, many contractors providing services to at-risk and troubled youths remain unable to access the network.
Efforts to bring the network back online were still ongoing as the state was hit with a second cyberattack that resulted in outages of the Florida Department of Health鈥檚 Vital Statistics System. The statewide system is used to process birth and death certificates, among other records.
Reports that cyber-thieves RansomHub had hacked into the vital statistics system began circulating July 1 on social media. The hackers threatened to release health department data on the dark web if the state did not pay an unspecified amount of money by last Friday. Florida law prohibits state and local governments from paying ransom for cyberattacks.
The interruption of the vital statistics system has put funerals on hold and created financial issues for people who need death certificates to process bank account changes, make insurance claims or seek updates to Social Security benefits.
The health department 鈥渋s coordinating with law enforcement and all relevant stakeholders鈥 and is 鈥渨orking diligently to resolve the temporary outage鈥 affecting the system, agency spokeswoman Jae Williams said in an email Tuesday.
READ MORE: Cyberattacks on healthcare systems are on the rise in Florida
鈥淭o facilitate continued operations of death certificates, the department has worked closely with funeral homes and health care facilities to implement offline procedures during this period. These instructions have been provided to all licensed funeral directors statewide. In addition, all county health departments have been provided the necessary resources to issue death certificates offline during this time,鈥 Williams wrote.
Health officials also are asking for help from health-care facilities and physicians 鈥渢o expedite hand-signed death certificates,鈥 the email said.
鈥淭his collaboration across all partners will assist families in navigating difficult times with minimal disruption,鈥 Williams added.
State Surgeon General Joseph Ladapo said his agency is 鈥渨orking around the clock鈥 to restore the system and that 鈥渢he majority鈥 of the agency鈥檚 operations and services 鈥渞emain operational and unchanged.鈥
County health departments are able to issue copies of birth certificates for babies born before June 28, according to Williams鈥 email. State health officials are working with hospitals to manually process birth certificates for births on or after June 28.
The Vital Statistics System incident occurred about three months after a cyberattack on the Department of Juvenile Justice network, known as the Juvenile Justice Information System. The agency confirmed this week that the network remained inaccessible for many contractors, who handle the bulk of services provided to at-risk and troubled minors, but was up-and-running for agency employees.
鈥淥n March 29th, the department was made aware of a potential cybersecurity incident and proactively brought its systems offline in an abundance of caution, as is often the standard practice. The department has been strategically bringing systems back online in phases to ensure the security and integrity of our data systems. All DJJ-staffed sites have access to the Juvenile Justice Information System with partners鈥 access in the coming days,鈥 agency spokeswoman Amanda Slama said in an email.
The network includes detailed data about children who have been referred to the Department of Juvenile Justice, including health records, risk assessments, service plans and referrals for mental-health services. Service providers have been documenting work on paper while the system has been offline.
鈥淚 think, in this situation, three months is too long,鈥 Aaron Ward, chief information security officer for iVenture Solutions, a Florida-based information-technology and cybersecurity company, told The News Service of Florida on Wednesday. 鈥淪omething is wrong. 鈥 This is not a good look for Florida. This is not a good look for cybersecurity or IT professionals in general.鈥
Ward鈥檚 company, which specializes in small- and medium-sized businesses, is not involved in addressing either of the attacks on the state systems.
Hacks such as the one that hit the health department usually start with what is known as a 鈥渂usiness email compromise,鈥 or BEC, Ward said.
鈥淭hat is such a huge, prominent vector of getting initial access, because it鈥檚 low effort on attackers, right? They just figure out who they want to attack, use social media, or just normal internet information to get a bunch of email addresses and then flood those email addresses with tricky emails,鈥 he said.
A user clicks on one of those emails, is taken to what looks like a familiar webpage and enters their credentials into what Ward called 鈥渁n evil portal.鈥
鈥淪o they see the user name and password and, boom, I鈥檝e got access. Then it all depends on the amount of layers of security the organization has to detect threats and things like that,鈥 Ward said. 鈥淚n my opinion, the biggest bang for buck that organizations can do is end-user awareness training. And I know the state of Florida does that. But I don't think it's very effective. I think they're teaching it wrong.鈥
Sen. Jennifer Bradley, a Fleming Island Republican who chairs the Senate Criminal and Civil Justice Appropriations Committee, said the Department of Juvenile Justice acted quickly to protect the data in the JJIS system. She said children continued to receive services.
鈥淭here鈥檚 always more that we can do and I think the technology evolves, but I think we want our state agencies, if they believe that their system has been breached, we want them to take these precautions. We don鈥檛 want all the data revealed,鈥 Bradley said in a phone interview. 鈥淚鈥檓 glad they took the steps that they did to protect the information, to protect the system. 鈥 Certainly, everyone wishes it could happen a lot quicker.鈥
