Officials at the Jefferson County Clerk in Kentucky confirmed this week that sensitive data such as personnel records, Social Security numbers and election administration information may have been compromised in a cyberattack last month.

On Monday, RansomHub, a ransomware group responsible for the July cyberattack on the Florida Department of Health, listed Jefferson County as a victim on its ransomware data leak site and claimed responsibility for the cyberattack. The group claims it exfiltrated 47 gigabytes of data from the county, a trove that could include election records and voter registration records dating back to 2008.

On a leak site, RansomHub’s countdown timer shows Saturday as the payment deadline. A ransom amount is not listed and the county clerk’s office would not confirm whether it has received a ransom demand.

“We are reviewing the leaked files to determine who we need to contact,” Ashley Tinius, a spokeswoman for the office, said in an emailed statement to StateScoop. “We will send a letter to anyone we identify, similar to other agencies that have fallen victim to these malicious actors. Federal law for private companies allows a full 60 days for notification, which is not very timely. Our internal policies allow 35 days to identify and notify individuals of the breach.”

Officials said they discovered the attack on July 22, days after the county reopened its offices following a two-week closure to clear a “significant backlog of work” caused by glitches in the KAVIS software, a system used primarily by county government employees to manage vehicle and boat transactions.

Jefferson County, which surrounds Louisville, has a population of 773,000. The county clerk’s office is responsible for managing documents ranging from property deeds to marriage licenses.

The ransomware group has posted a list of the files it claims to have stolen on the dark web. The list appears to include financial documents, alarm system details, invoices, human resources documents such as employee evaluations and termination letters, budget documents and customer contracts.

The extensive list includes Microsoft Word and Excel files with names such as “Special Election Officials.xlsx,” “Financial Accounting.doc,” and “Alarm Codes.xlsx.”

A researcher at Cyble Research and Intelligence Lab, who wished to remain anonymous, told StateScoop that what he found particularly troubling about the data leak was the apparent compromise of election administration data dating back to 2008.

“The data could potentially be used for phishing and to spread disinformation and misinformation to create confusion and panic among voters,” the researcher wrote in an email.

The file list includes 16 mentions of the word “voter” and 142 mentions of the word “election.” Some file names indicate what type of voting equipment the county uses for in-person voting. Based on information released by election technology tracker Verified Voting, the files could refer to equipment made by Nebraska-based manufacturer Election Systems & Software, including handheld optical scanners, ballot marking devices or commercial electronic voter rolls.

Analysts at cybersecurity firm Halycon speculate that RansomHub is a rebranding of the Black Cat/ALPHV gang, which went underground in February after orchestrating a disruptive cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group, the largest private health insurer in the U.S. RandomHub raised $22 million. as a ransom after nearly 4 terabytes of confidential data were stolen.

AJ Vicens contributed reporting.