Attorneys for Circuit Court Judge Paul Phillips argue that Phillips acted within his authority and interpreted state law correctly when he found State Public Defender Diane Lozano to be in contempt of court this summer, according to a brief filed with the Wyoming Supreme Court last week.
On May 1, State Public Defender Diane Lozano notified Circuit Court judges that her attorneys in Campbell County would no longer represent people charged with misdemeanors.
She said public defenders in Campbell County had such a heavy workload that they were unable to fulfill their ethical obligations in representing those who can’t afford private counsel.
A couple of weeks later, Phillips found Lozano to be in contempt of court and fined her $1,500 a day. The case is now before the state Supreme Court.
Phillips and the Circuit Court of the Sixth Judicial District are represented by Hampton O’Neill, John Masterson and Alaina Stedillie of Casper. Lozano is represented by state Attorney General Bridget Hill and deputy attorney general Michael McGrady.
In August, Lozano and her counsel argued that Phillips exceeded his authority when finding her in contempt, wrongly interpreted state law and abused his discretion by fining her without following the proper process and without “factual basis.”
In a brief filed with the Wyoming Supreme Court on Wednesday, O’Neill wrote that Lozano failed to provide an alternative solution to the public defender issue “other than pure disobedience of lawful court orders.”
“There is no dispute that (Phillips) issued lawful orders appointing the Public Defender’s Office to represent two indigent defendants,” O’Neill wrote, adding that Lozano “deliberately violated those orders.”
A circuit court “has the inherent power to compel compliance with its orders through civil contempt findings,” O’Neill wrote.
Phillips also correctly interpreted the Wyoming Public Defender Act, his counsel wrote. Lozano said the law allows her to declare her office “unavailable.” While this is true, O’Neill wrote that Phillips’ authority to appoint the public defender under state statute “takes precedence over any right the public defender may have to assert her unavailability.”
Lozano “refused to acknowledge” the Circuit Court’s authority and “she knew the appropriate process, but chose to ignore it,” O’Neill wrote. “Her actions — far better than her words — prove that she never intended to negotiate or engage in a discussion.”
If the Supreme Court sides with Lozano in this case, O’Neill wrote, “she alone decides if, when and under what circumstances her office will accept indigent defense appointments from the Circuit Court.
“This proposition creates a chaotic and uncertain logistical and legal landscape utterly contrary to the intent of the Public Defender Act,” he wrote, adding that the indigent defendant is the one who suffers most from this uncertainty, which is “a perverse result.”
Julie Greco admits she wasn’t at her best Sept. 20.
Like other patients being treated at Campbell County Memorial Hospital that day, she was decidedly less than optimal while recovering from a surgery that ultimately kept her hospitalized for about two weeks.
She also had a bedside view to observe Campbell County Health staff and officials scramble in response to another emergency.
At about 3:30 that morning, the organization was hit with a catastrophic and total ransomware attack that locked out, or “bricked,” their entire digital framework. Computers, servers, specialized systems for state-of-the-art treatments and even email had been encrypted by a hacker demanding a ransom to release the lockout.
“As a patient, you’d hardly know anything major was going wrong” Greco said. “They came in my room and were so amazing. They just said, ‘Oh, we’re having a little bit of a computer issue.’ They did not complain, no stress. They just continued to do their jobs and you wouldn’t have known things weren’t going so well.”
Another emergency response
While some patients like Greco may not have noticed much stress from the staff and administrators at Campbell County Health in the 10 days since the ransomware attack, It’s been plenty stressful, said CEO Andy Fitzgerald.
The organization has drilled and planned for potential cyberattacks on its computer systems, but it’s different when it actually happens, he said. Health care workers face high-stress emergency situations every day, which has helped limit the confusion and frustration.
“Our IT department has literally worked night and day through this to where now we’re seeing a little light at the end of the tunnel,” Fitzgerald said Friday afternoon.
His team has spent much of this past week assessing the potential damage to CCH’s computer network, along with cooperating with the FBI and state Office of Homeland Security to investigate the attack.
At the same time, the hospital, the Legacy Living and Rehabilitation Center and CCH’s other clinics and offices are seeing more patients, but still have other area hospitals on alert in case people need to go elsewhere for specific treatment, he said.
A week after an official likened the hospital to a digital war zone littered with cords to unplugged computers snaking everywhere, CCH is working to bring its systems back online and resume normal operations.
“We’re in what we refer to as restoration mode,” Fitzgerald said. “We’re restoring all our systems. We’re getting much closer to having our systems back online than we were certainly a week ago.”
He said some patients had to be referred to other hospitals, but that’s slowing down.
“We’re taking more and more of those patients back,” Fitzgerald said. “We suspect that we will be fully resolved no later than early next week.”
While the attack was bad, it wasn’t totally devastating, he said. For the most part, existing computers and equipment can be wiped and used again. Also, the attack did not affect the organization’s patient information and backup files.
“Not only do we have it and it’s intact, we have up until this very moment no evidence that any patient data or any other data left our organization,’ Fitzgerald said.
What is ransomware?
Ransomware is a malicious type of malware, which in effect is a computer virus with a specific purpose. In this case, once it infiltrates a computer or server, it launches a program that encrypts all the information on the device.
Instead of running as normal, a ransom message is displayed, telling the user that if certain demands are met, the hacker will provide a key to remove the encryption. If not, the computer remains basically unusable, or “bricked.” The machine or server could be wiped clean with new software installed to start fresh, but any important information that wasn’t backed up would be lost.
It’s also not a new thing in the world of cybersecurity. People on their home computers have been hit with versions of ransomware for more than a decade, said Daniel O. Deter, manager of information security at Denver-based Green House Data.
In those cases, people typically were told to pay a ransom of about $300 or so, he said. Today, the trend is for hackers to target large companies and government entities, like cities and counties, because they’re insured against the attacks and are more likely to pay a ransom.
“What we see with ransomware, and it’s very popular right now, is that even if 99% of the people don’t pay you, even if 1% do, you make money,” Deter said. “We are increasingly seeing public-type infrastructures like government agencies and hospitals get hit.
“I don’t know about this attack (at CCH), but I would bet this happened through a phishing attack. They’re almost always that, and phishing remains massively effective.”
Phishing is when a malicious email is sent out asking the recipient to click on a link in it. It may appear to come from someone the recipient knows or a trusted organization, but once it’s acted upon, that’s all it takes to plant the ransomware seed, Deter said.
Just how bad an attack could be for an organization depends on its preparation, he said, especially if it has secured backups of critical data and processes.
“I hope these guys (at CCH) have backups, because if they don’t have a recent backup, chances are (the information is) gone,” he said.
But if you do have a backup, “the basic process is simple. You reinstall your backup over the encrypted image,” he said. “If you have good backups, your overall downtime could be as little as 15 minutes to an hour per installation.”
At 1,500 computers, even that simple backup restoration could take quite awhile for Campbell County Health, Fitzgerald said. Also, some computers and equipment require very specific and specialized software that has to be reinstalled and calibrated.
Whether the investigation into the attack on Campbell County Health will result in identifying a suspect person or group, actually catching someone and making an arrest is unlikely, Deter said.
“The percentage likelihood of that is very, very small,” he said. “It’s almost impossible to attribute an attack to a person and very unlikely to an organization or a government. A lot of attacks, a majority of attacks, extend from the United States, but due to VPN and proxies, there’s no way to know the source of an attack.”
In some cases, the ransom messages themselves reveal information about where in the world it came from, Deter said. How good the English used in a message is, where it’s not good and how it’s used improperly can help narrow that down.
As for the attack at Campbell County Health, officials aren’t giving out any specific information pending the ongoing investigation, Fitzgerald said. That includes what the ransom demand was and whether CCH agreed to pay it.
Deter said that with systems still down and work to restore them continuing a week after a ransomware attack tells him that it seems likely CCH did not pay a ransom to get its computers unlocked.
To pay or not to pay?
Nearly as frustrating as being hit by a ransomware attack is deciding whether to pay the demand, Deter said.
As reports of attacks have increased in recent years, there are numerous examples of cities, counties, school districts, hospitals and other organizations that have given in and paid ransoms. Those can range from a few thousand dollars to several hundred thousand dollars and well into the millions of dollars, depending on the size of the organization. Some hackers demand payment in the cryptocurrency bitcoin, which can be worth thousands of dollars per coin.
In April 2018, a school district in Leominster, Massachusetts, paid a $10,000 ransom in bitcoin. The demand for another school district was a bitcoin per student. At the time, bitcoin was worth about $3,800 each.
In Lake City, Florida, a small town of 12,000 people, officials agreed to pay a $460,000 ransom to recover more than 100 years’ worth of records, information and images of historical documents. But weeks after the city’s insurance company paid the ransom, Lake City had some of its systems back like phone and email, but not all of its records and files.
That points out another glaring risk with paying a ransom, Deter said.
“You’re dealing with people who aren’t really that honorable in the first place, so it’s a risk to think you’d get all your information back, or any of it,” he said.
Just last month, a coordinated cyberattack bricked the computer systems of agencies in 22 small towns in Texas. As the municipalities and state worked to restore the systems and reverse the damage, information about whether any of the towns elected to pay the ransom was not released.
It only takes one click
Campbell County Emergency Management Coordinator David King said county officials plan for a potential ransomware threat as a normal course of business. But staff and agencies seem more alert since the attack at CCH.
If the county’s systems were compromised, “it would be a disaster,” King said. “But what is an emergency, what is a disaster and what is a catastrophe? A house fire is an emergency for the firefighters, but could be a disaster for the neighborhood and a catastrophe for those living there personally.”
At least once a quarter, if not more often, the county’s IT department will send out its own fraudulent phishing emails to see if county employees respond as they’re trained to, which is to not open them and alert IT.
One of those tests at about this time last year had 7.6% of county employees click on the link included in the fake email. While the average for a government organization the size of Campbell County is about 25%, just doing better than the average isn’t good enough when it comes to cybersecurity, King said.
“It only takes one to click that,” he said. “I know it may seem boring when your IT guys keep harping on security, but pay attention now to what’s happening at the hospital.”
As for CCH, King has been part of daily conference calls with a number of state agencies and said that they know which server at CCH was “patient zero” for the attack. He also said it’s clear that even some of the most prepared agencies in the state have been targeted, like a police department and a pair of Department of Transportation servers.
About a week before the CCH attack, King said another Wyoming agency was hit with a ransom demand of $2 million to $3 million. He wouldn’t identify the agency, but said it was determined that the hacker got in through a fraudulent email that was clicked on six times by people at the agency.
From 2016-2018, King said there have been at least 68 ransomware attacks just in the nation’s emergency service agencies and hospitals.
“They’re hoping they get a target that will just roll over and pay,” King said, adding that most breaches are human error. “The bad guys only have to be good once. The good guys have to be good every time.”
More than an inconvenience
Although some patients like Greco said the attack didn’t seem to affect their care at Campbell County Health, others have had to go elsewhere.
Nancy Rasmussen owns Boardwalk Hair in Gillette and said that much of the talk this past week in her salon has been about the ransomware attack.
“People are mostly worried about if their information is secure or not and what do they do now?” she said. “There’s a lot of concern, but we’ve also heard they have things in place to take care of anything that needs taking care of.”
Rasmussen said her niece had to make a trip to the emergency room the day of the attack, but staff couldn’t run a needed test because computers were down, so she was sent to Sheridan and now will likely get bills from both hospitals.
Her daughter was scheduled for surgery last week and, after initially thinking it may have to be rescheduled, was able to have it done at Campbell County Memorial Hospital.
For Cynthia Treadwell, the attack happened at the absolute wrong time. She’s seeing a new doctor elsewhere for chronic spinal chord scarring and pain, which has left her partially debilitated on one side.
Her medical records were to be faxed to her new doctors the day of the attack, but couldn’t. Without those records, her new doctor hasn’t been able to chart a path of treatment and “my process has come to a screeching halt,” Treadwell said.
Getting close, moving on
The frustration over accessing needed medical records is real, but will soon be relieved, Fitzgerald said.
“We’ve certainly learned some things through this,” he said. “I think we responded very well given the unique nature of the event itself.”
He also said that just how much the ransomware attack could end up costing the organization is unknown now because the focus so far has been getting the systems up again.
“It’s safe to say there’s a financial impact,” he said. “What the scale of that is at this point, we haven’t had time to assess that and there’s really too much unknown to venture a guess.”
When the systems are back running as usual, Fitzgerald said CCH will re-examine what happened and its security.
Being extra vigilant about emails and electronic contacts “is the world we live in,” he said. “We all have to be careful.”