The Montgomery County Board of Developmental Disabilities (MCBDDS) in Dayton, Ohio this week notified (PDF) an undisclosed number of people about a February 19, 2024 data breach that compromised names, Social Security numbers, and driver’s license numbers.
Ransomware group BlackSuit in May claimed responsibility for the attack. The group said it stole business data including contracts, contacts, planning data, and presentations; employee data including passports, contracts, contacts, family details, and medical examinations; and financial data including audits, reports, payments, and contracts.
A stakeholder meeting further mentioned (PDF) birth certificates, addresses, phone numbers, email addresses, medical records, banking info, insurance info, and photos.
From the meeting minutes, we can infer some systems were encrypted by ransomware. MCBDDS was forced to shut down many of its computer systems as a result. An alert posted on MCBDDS’ website states that its email system is still down as of time of writing.
The Board’s March 19 meeting minutes (PDF) state, “The Data Processing Board downtown recently approved the purchase of the equipment we need in order to restore our system and the equipment has been ordered. We are hoping to be back up and running by the end of April. In the meantime we have our HIPAA compliant Gmail to keep business going. The state gifted us 50 computers to use to access the state systems and the county provided a couple of work spaces where our team can go in and access systems.”
The CEO of the the Board posted the following video on May 17, 2024:
“It’s upsetting that there are bad people out there that would target organizations that are trying to help and serve,” she says in the video.
We do not yet know how much the ransom demand was, whether the MCBDDS intends to pay it, or how attackers breached its systems. Comparitech contacted MCBDDS for comment and will update this article if it responds.
Comparitech recommends victims take advantage of the free credit monitoring offered by MCBDDS via TransUnion. Monitor your credit report, medical bills, and bank statements for suspicious activity.
Who is BlackSuit?
BlackSuit first emerged in April 2023 and has a history of attacking critical industries like healthcare, government, and education. It’s a private operation and doesn’t employ a ransomware-as-a-service business model. Blacksuit often extorts victims twice: once for the decryption key to restore attacked systems, and again in exchange for not selling or publishing stolen data.
Comparitech has logged 26 confirmed attacks by BlackSuit since its first confirmed attack in May 2023. Some of its biggest attacks this year are Group Health Cooperative of South Central Wisconsin with 533,809 people affected, TRC Talent Solutions with 158,593 people affected, and Jackson County, MO.
We have also tracked 41 unconfirmed attacks via this group so far this year.
MCBDDS has not confirmed BlackSuit’s claim.
Ransomware attacks on US government organizations
Government entities and public services are frequent targets for financially-motivated and state-sponsored hackers alike. In addition to data theft, ransomware attacks can lock up critical computer systems until a ransom is paid to unlock them.
Comparitech has tracked 31 confirmed attacks against US government organizations at all levels so far this year, affecting 50,757 records.
About MCBDDS
The Montgomery County Board of Developmental Disabilities Services is a local government agency that coodinates funding and services for people with intellectual or developmental disabilities. It is one of 88 such boards in Ohio. Services include behavior support, early intervention, mental health, recreation and respite, and residential placement services.