Hernando County Data Breach and Late Notice Raise Legal Concerns

Hernando County’s digital systems were hit by Rhysida ransomware in mid-March 2024, an attack that encrypted data and forced a multi-day outage that included the 2024 Easter weekend. A recent public notice posted by the county on December 20, 2025 states that a third-party specialist’s investigation determined that limited information maintained on the county network may have been acquired between March 18 and March 30, 2024.

The malicious actors moved from an auction attempt to releasing the stolen content free for download on the dark web. The material made available included screen captures of emails containing W-9 forms for county contractors that listed social security numbers, along with other files. The release consisted of 11 downloadable files, which the attacker claimed contained 6,190,346 files totaling 3.2 terabytes. The attacker had initially offered the data for 40 bitcoins, roughly $2.8 million at the time, but the auction closed without a buyer before the data was published.

County officials were informed that the data was publicly available in early May 2024. The County Clerk of Court, Doug Chorvat, oversees the county’s Information Technology Department. The county’s December 2025 posting describes the third-party finding as limited and does not detail all categories of exposed records or the identities of everyone affected.

The timing and form of the county’s disclosure carries both practical and legal implications. Under the Florida Information Protection Act, covered entities must notify affected individuals as early as possible and within 30 days of confirming a breach, subject to a possible 15-day extension for good cause or a law enforcement request that disclosure would interfere with an active investigation. Penalties for failing to provide timely notice can reach up to $500,000 per breach.

For residents and contractors, the delay diminishes the preventive value of post-breach remedies such as credit monitoring and identity recovery services, since identity theft often occurs soon after a leak. Individuals whose W-9 information was exposed should verify financial and tax records, monitor credit reports, and consider placing fraud alerts or credit freezes where appropriate. Those seeking specific guidance or confirmation of exposure will face uncertainty until the county provides a clear list of affected record types and notification procedures.

The long interval between the intrusion, public availability of the data, and the county’s formal announcement raises questions about the effectiveness of incident detection and notification processes within county government. The situation underscores the need for transparent communication, clear timelines for remediation, and accountable oversight of public-sector cybersecurity to protect residents and contractors from the long-term harms of data exposure.