Delay, Deny, Defend Part 4 – That Time the County Cited an Investigation to Delay Releasing Records Then Claimed the Records Didn’t Exist

This is Part 4 of our series discussing Washington County Government transparency concerns. Part 1 discussed Washington County’s constructive denial of records related to the ICE Warehouse, and Part 2 discussed how the County appears to be favoring some news outlets with press requests, while stonewalling others (including this one) with cumbersome mandates to use the MPIA process which the County has constructively denied records for in Part 1. Part 3 discusses conflicting information regarding the Treasurer’s salary, and how the County’s restrictive policies prevent us from asking simple questions directly to the county.

Part 5 is now available.

You probably remember back in 2022, when Washington County Government experienced a significant cybersecurity “incident” which in fact turned out to be a ransomware attack costing Washington County’s insurance carrier millions of dollars, resulting in higher cyber insurance rates for the county. But what you probably missed was the County’s attempts to prevent transparency surrounding the incident, which was only achieved after pointing out conflicting records.

In February 2023, Radio Free Hub City submitted a request to obtain information related to the November 2022 cybersecurity “incident” in Washington County Government. We fully expected this request to be denied, but in doing so the county confirmed that the records we sought existed. On February 27, 2023, then County Assistant Attorney Zach Kieffer denied the request for multiple reasons, including that there was a pending investigation. The first page of this response is below, which contains no mention of outside counsel or contractors holding records.

In July 2023, we submitted a follow-up request for the following:

-Summary records ONLY of data which was exfiltrated or compromised related to the Cybersecurity Incident on Thanksgiving Day, 2022. This includes data which was unencrypted or encrypted, and relating to information about Washington County residents, properties, and businesses.
-If no records exist, please indicate as such

County Attorney at the time Kirk Downey once again denied this request, going to great lengths to explain why we couldn’t obtain the requested records. Of course, one Downey’s primary justifications was that there was still an investigation. We immediately challenged this response, citing Maryland notification and disclosure requirements related to data breaches. Ultimately this matter went to the PIA Compliance Board. In his response to our PIACB challenge Downey included additional comment that some of the records would be held by outside counsel or forensic investigators, as well as the county providing a previously unreleased summary of the requested data as part of their response to the PIACB.

In November, 2024, we filed a third request regarding the incident, noting that information should be releasable now that the investigation had concluded. A single email thread was provided, which indicated that while Washington County had initially engaged with the FBI, they would instead be working with Washington County Sheriff’s Office. However, upon reaching out to Washington County Sheriff’s Office, we were informed that they did not investigate the matter.

Noting this conflict between official records, we contacted Zach Kieffer (who had since become County Attorney), pointing out that the in addition to the conflict between WCSO and County Government records regarding the investigation, County claiming no other records existed could be interpreted as claiming that Kirk Downey, who was now a sitting judge in Washington County, did not represent the full truth in his denials of our initial requests for records. While Kieffer attempted to dodge that by stating that Downey did not confirm or deny the existence of records but merely denied the request, he agreed to re-open the request and look for additional records. As we pointed out to County Attorney Kieffer, if no additional records existed, the county certainly went to great lengths to deny access to records that didn’t exist, and that Washington County appeared to be “moving the goalposts” to prevent the records from being released.

The result? Over 300 additional pages of records that the County did not initially disclose, including records detailing the nature of the incident and the fact that the County’s insurance provider paid a ransom of $850,000. None of these records were under the control of a third party, and all were within Washington County’s control as custodian. Additionally, it was revealed that Washington County Government allowed a critical vulnerability to go unfixed on a “legacy server” for almost a year, as the Log4Shell vulnerability was publicly announced in December 2023/January 2024. This vulnerability has a 10.0 critical rating, the highest rating for any cybersecurity vulnerability.

None of the responsive records indicate that a law enforcement investigation was ever conducted regarding this incident, and the FBI did not have any available records responsive to our requests. By July 25, 2023 (the date of our second request), the actual investigation into the ransomware attack appears to have actually been over, yet the County appears to have continued to use the “investigation” claim as a legal shield to deny our records request until we forced the matter over a year later.

The county has since implemented significant improvements in their cybersecurity posture, including multi-factor authentication and robust cybersecurity intrusion detection and prevention systems.

Our records related to this incident, and more, are in our DocumentCloud repository for Washington County Government.

Part 5 of this series is now available.

Article by Ken Buckler based upon public records requests.

---