By Michael Phillips | MDBayNews
Maryland’s official property records database has been offline for ten days following a cybersecurity incident — and state officials still haven’t said when it will come back. But the real story isn’t the outage. It’s the pattern behind it.
In the past fifteen months, Maryland has absorbed at least four significant cybersecurity incidents across state and county government. Its legislature just adjourned without passing either major cybersecurity bill it considered this session. And the state’s own budget documents reveal that Maryland appropriated $28 million for cybersecurity assessments in fiscal year 2025, spent roughly 10 percent of it, and cannot fully account for where the rest went.
That is not a record consistent with a state that takes cyber resilience seriously.
What Happened at SDAT
On April 14, the Maryland Department of Information Technology detected what it described as “suspicious activity” on servers running the State Department of Assessments and Taxation’s Real Property Search website. Officials took the system offline the same day, where it remains. The state has said preliminary analysis suggests only publicly available information was involved and that it does not anticipate broader risk — though its investigation is ongoing.
The outage has disrupted real estate transactions across Maryland during a peak business filing period, forcing residents, title companies, and appraisers to contact county offices manually for records that were previously available online.
No timeline for restoration has been provided.
This Is Not an Isolated Incident
The SDAT breach is the latest in a documented series.
In January 2025, Frederick Health Medical Group — one of Frederick County’s largest employers, with roughly 4,000 employees and more than 25 locations — was hit by a ransomware attack that ultimately compromised the personal and medical information of 934,326 patients. Social Security numbers, dates of birth, addresses, health insurance data, and clinical information were among the data exfiltrated. The attack was severe enough that ambulances were diverted from Frederick Health Hospital, which was placed under a “mini disaster” designation by Maryland’s emergency medical services system. At least five class action lawsuits have been filed against the health system.
One month later, in February 2025, Anne Arundel County — home to nearly 600,000 residents and the state capital — was hit by a ransomware attack that forced county buildings to close and disrupted government services for days. The attack accessed files containing names, addresses, and medical diagnoses held by the county’s Department of Health. County Executive Steuart Pittman acknowledged at the time that Anne Arundel’s IT systems had been “falling behind for several years.”
Then, in January 2026 — less than a year later — Anne Arundel was hit again. A second cyber incident of “external origin” forced another round of county building closures and service disruptions.
Now SDAT.
The Legislature’s Response: Nothing
Maryland’s General Assembly adjourned sine die on April 13 — one day before the SDAT incident was detected — without passing either of the two significant cybersecurity measures it considered this session.
Senate Bill 183 would have established a Maryland Cyber Reserve within the Military Department to provide technical support and educational resources to help state, county, and local government agencies prevent and respond to cyberattacks. It did not pass.
A companion measure regulating data safety and cybersecurity protections for government-adjacent technology also failed to advance.
The Maryland Association of Counties, which had supported SB 183 with amendments, noted that counties face an “increasingly complex threat landscape targeting public systems and sensitive data” and that cybersecurity has become “a core function of government operations.”
The General Assembly apparently disagreed — or at least deprioritized it.
The Budget Problem
The spending record is harder to explain away.
According to the Department of Legislative Services’ analysis of the FY2027 Department of Information Technology budget, Maryland appropriated $28 million in general funds for statewide cybersecurity assessments in fiscal year 2025. Only $3.1 million — roughly eleven percent — was actually spent. Another $8 million was reverted after cyber procurement contracts were never completed.
That left $16.9 million unaccounted for. DLS flagged the gap directly, stating that DoIT should “clarify the utilization of the $16.9 million remaining.”
The FY2027 budget allocates $4.4 million for the same cybersecurity assessment purpose — a fraction of what was appropriated two years prior, and a tacit acknowledgment that the state doesn’t expect to spend more than that even if it budgets it.
The Governor’s Framing
Governor Wes Moore has repeatedly positioned Maryland as a future hub for the cybersecurity industry — an economic development pitch aimed at attracting companies and jobs to a state with significant federal contractor and intelligence community infrastructure.
“Maryland can be the capital of quantum computing and cybersecurity,” Moore said in his FY2027 budget address in January.
That ambition is not necessarily inconsistent with also protecting state systems — but the record suggests the administration has invested far more energy in the former than the latter. Cybersecurity as an industry recruitment pitch and cybersecurity as a government infrastructure obligation are different things. The incidents of the past fifteen months suggest Maryland has been more focused on selling the first than delivering the second.
What Comes Next
The SDAT investigation remains open. No timeline for restoration has been given. The state has not disclosed the attack vector, the scope of any intrusion, or whether any data — public or otherwise — was accessed beyond what was already visible on the website.
What is clear is that Maryland’s government cyber posture has been tested repeatedly, that the legislature just left Annapolis without strengthening it, and that tens of millions of dollars appropriated to assess and address the problem have gone largely unspent.
The property records database will eventually come back online. The underlying questions about whether Maryland is doing enough to protect its systems — and its residents — will not be resolved by a server restart.
Sources: the Maryland Department of Information Technology, the Department of Legislative Services’ fiscal year 2027 budget analysis of the Department of Information Technology, the Maryland Association of Counties’ 2026 end-of-session information technology wrap-up, breach data reported to the U.S. Department of Health and Human Services, the Maryland Institute for Emergency Medical Services Systems, and the Office of Governor Wes Moore. Additional background drawn from reporting by BleepingComputer and The HIPAA Journal on the Frederick Health data breach.
Keep MDBayNews Reporting Free
MDBayNews exists to help Marylanders understand decisions made by state and local leaders — especially when those decisions affect daily life, rights, and public services.
If this article helped clarify what’s happening or why it matters, reader support makes it possible to keep publishing clear, independent reporting like this.
Have a tip or documents to share?
We review submissions carefully and confidentially. Anonymous tips are welcome when appropriate.
Discover more from Maryland Bay News
Subscribe to get the latest posts sent to your email.