eHealth cyberattack affected millions of files, was one of Sask.'s worst breaches ever: privacy commissioner
Saskatchewan's information and privacy commissioner is calling last year's ransomware cyberattack on eHealth one of the province's largest privacy breaches ever.
On Dec. 20, 2019, an SHA employee opened an infected Microsoft Word document on a personal device while the device was being charged by USB cord at their workstation.
Opening the document triggered a Ryuk ransomware attack between Dec. 20, 2019, and Jan. 5, 2020, a news release from privacy commissioner Ron Kruzeniski's office published on Friday said.
Kruzeniski found the attack affected some 50 million files and about 5.5 million of those files may have contained personal information and/or personal health information.
"A minimum 547,145 files containing personal information and/or personal health information of citizens of Saskatchewan were either exposed to the malware or maliciously stolen from eHealth, SHA and [the ministry of] health," the release said.
In total about 40 gigabytes of encrypted data was extracted. On Jan 21, 2020, eHealth discovered the files were sent to IP addresses in Germany and the Netherlands.
Kurzeniski concluded the information in the files was either exposed by the malware or outright stolen in one of Saskatchewan's most significant privacy breaches ever.
"[The affected groups] have not been able to determine if it's yours, or mine, or someone else's," Kruzeniski told CBC News.
"That is one of the added problems in this particular area, is the thieves have done it in such a way, how do you know exactly what they got?"
3 missed opportunities
The commissioner's investigation found there were three critical opportunities where the ransomware could have been detected — two by eHealth and one by the SHA employee.
"Had these opportunities not have been missed, eHealth may have been able to detect the ransomware, shut down its systems and stop the extraction of data," the release said.
He found eHealth did not give sufficient notification about the ransomware attack and that the SHA and Ministry of Health failed in their notification efforts because eHealth was too slow to notify them.
Kurzeniski said the employee who opened the infected email document had privacy-related training but ultimately lacked training in the SHA's Acceptable Use of Information Technology Assets policy.
He said there were also previous warnings on the employee's file that were not taken seriously by the employee or their bosses.
"New and better and bigger cyberattacks continue to occur," he said, adding training in cybersecurity is a constant and ongoing process.
Independent review among calls
The commissioner made several calls for change on Friday, including requesting an independent review of governance, management and program from the minister of health based on concerns raised by the provincial auditor, SaskTel and his own report.
Kruzeniski called for eHealth specifically to conduct a comprehensive review of security protocols, and on the SHA and Ministry of Health to take immediate steps to provide mass notifications, including to media outlets.
He called on eHealth, the SHA and the Ministry of Health to work together to provide identity theft protection, including credit monitoring, to the affected individuals for at least five years in the event their information is found on the dark web.
He asked eHealth to review whether it should have 24-hour-a-day IT security staff in place to investigate potential threats in the future.
Kruzeniski called for eHealth and its partners to complete cybersecurity and privacy training on an annual basis.
"I think it's extremely important that we as citizens expect that that work will be completed as soon as practical in the middle of a pandemic," Kruzeniski said of his recommendations.
"I think it's fair for us to accept that we should insist upon the highest standard of security when it comes to protecting the most sensitive information we have."
eHealth released a report on the attack near the end of December and outlined some of the measures it was taking to boost security and prevent future ransomware attacks.
Minister responds to report
At a news conference on Friday, Health Minister Paul Merriman said the government would take action immediately and in the future to address Kruzeniski's recommendations.
Merriman said the deputy minister of health would investigate why it took so long for the public to find out about the extent of the cyberattack.
eHealth, the Ministry of Health and the SHA released an update on the extent of the data breach on Dec. 22, 2020, roughly one year after it happened.
"Some of the initial reasons that I've been told is we didn't know the absolute depth of where this cyberattack was," Merriman said.
"This was a very, very sophisticated attack that eHealth had not seen before… I feel it was very important that the general public knew the depth and the breadth of the attack."
When asked who would be held accountable for the attack, Merriman said he would continue to look into Kruzeniski's report but was unable to comment on whether or not there would be judicial action taken.
He said he would look into the financial, cultural and technical issues outlined within the new report and similar reports issued by other provincial officials.
A government news release said all 25 recommendations made by Kruzeniski directed to eHealth, the Ministry of Health and the SHA, would be responded to within 30 days and that Merriman's office would receive quarterly updates on the steps taken to implement them.
The news release also said the health minister would address the privacy commissioner's call for an independent review of eHealth's governance, management and program operations.
