Hernando County ‘Notices’ Cybersecurity Breach 21 Months Later

https://www.hernandosun.com/2026/01/02/hernando-county-notices-cybersecurity-breach-21-months-later/

Publish Date: 2026-01-02 09:25:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. – Advertisement –
It has been over a year and a half since the Hernando County government website and many services went offline over the 2024 Easter weekend. Rhysida ransomware infiltrated the County government’s network, encrypting our data and causing an outage that crippled services. Hernando Sun has reported on this extensively, even finding on the dark web the auction of the data exfiltrated from the county’s network.
The county government has posted on its website a “public notice” on December 20, 2025, informing the public that a third-party specialist’s “investigation determined that limited information maintained on our network may have been acquired by an unauthorized actor between March 18, 2024, to March 30, 2024.” (This is not a legal notice since the county has not yet provided the ability required by law to request a mailed paper copy of the legal notices.)
There was no explanation of why it took a year and a half for a third party to determine that data was exfiltrated when your local newspaper, the Hernando Sun, knew that a year and a half ago.
The information that Hernando Sun has previously viewed on the Rhysida darknet site included screen captures of emails containing W-9 forms for county contractors, which listed those individuals’ social security numbers. There was an auction that Rhysida hosted for anyone interested in buying the data. The asking price was 40 bitcoins, or $2.8 million at the time. The auction ended without a buyer, so Rhysida made the data free for download on the dark web. The data included 11 downloadable files, which Rhysida said contains 6,190,346 files and totals 3.2 terabytes.
Screenshot of Hernando County data freely available to download on dark web, May 5, 2024.
In early May 2024, when Hernando Sun saw the data had been released on the dark web, we informed Hernando County Clerk of Court Doug Chorvat, who oversees the county’s Information Technology Department, that the information was available for download.
The offer of access to credit monitoring and identity protection services for potentially impacted individuals after more than a year and a half is most likely too late to be of much use. Most often, identity theft happens within a short time of the initial data being leaked.- Advertisement –

According to the Florida Information Protection Act, individuals affected by a breach should be notified as early as possible, but within 30 days, by any covered entity, including local governments. The deadline could be extended by 15 days if a request for good cause is sent to the Attorney General. Law enforcement could also request an extension if the disclosure could interfere with an active investigation. The fines for not providing the notice in a timely manner can be up to $500,000 per breach.
Link to county “public notice” https://www.hernandocounty.us/Home/Components/News/News/9642/429