eHealth ransomware attack potentially catastrophic for Sask. health card holders: cybersecurity expert

CBC

June 11, 2020 at 7:00 a.m.·5 min read

The bad guys slipped the virus into the eHealth Saskatchewan computer system on Dec. 20. For the next 17 days, it crept undetected through the network, copying some of the most sensitive health and personal information collected by government.

This massive intrusion stopped Jan. 6, but not because the cyberthieves were caught. That's when the shakedown began.

Employees trying to access information that morning were met with encrypted files and a demand for payment in bitcoin to unlock the records.

Now, five months later, eHealth admits it still doesn't know exactly what information was taken, who took it, where it went or what it's being used for.

Toronto cybersecurity expert Claudiu Popa said anyone with a Saskatchewan health card should be alarmed.

"The worst case scenario is a scenario in which we don't know what was taken," he said in an interview.

"Best practices in our industry, in the security industry, dictate that if we don't know what was taken, we have to assume that everything was taken."

Popa is the author of the Canadian Cyberfraud Handbook and a certified information privacy professional. Officials with eHealth Saskatchewan declined to be interviewed about the ransomware attack. Instead, it emailed responses to questions.

Popa viewed these answers and offered his professional assessment of what happened and the implications for the future.

A high value target

Popa said health agencies are popular targets for cyberthieves, because they collect and stockpile sensitive information.

"That's where the bad guys want to break in because they want to do as little work as possible for as much gain," he said.

"That gain can be hundreds of thousands, or maybe even millions of data records as we've seen in many other health care data breaches. So these are very valuable."

He said this information could be used to extort individuals by threatening to reveal sensitive medical test results. Or, data such as health card or social insurance numbers could be sold and used for identity theft.

This sort of information is now online in Saskatchewan. In October 2019, eHealth introduced MySaskHealthRecord, a system where individuals can securely view test results and clinical visits histories.

Popa said most health organizations realize the value and sensitivity of the information and they secure it to the best of their ability.

"Sometimes it just comes down to the weakest link," he said.

"Sometimes it's as simple as clicking on an infected email link."

Mechanics of the attack

eHealth confirms in its emails that there were two aspects to the ransomware attack.

One saw the thieves copy files and then send them to a series of IP addresses, at least four of which have since been traced to Europe. Those files were encrypted and password protected.

The second involved the attackers encrypting the original files in the eHealth system. They are demanding ransom on two fronts, to regain control over files in two locations.

eHealth said it has not paid any ransom to unlock these files. Rather, it's relying on back-up files. But it's a challenge without knowing exactly what was copied.

"eHealth continues to work with the owner of the files (Saskatchewan Health Authority) to determine the exact content of the files sent to these suspicious IP addresses," a spokesperson said in an email.

The official added that eHealth has hired specialized firms to determine if any files have been illegally offered for sale.

This sort of information is often sold on the "dark web," internet sites that use software to provide anonymity and are not found on search engines. The official said that no such activity was found with the Saskatchewan data.

Popa said this may not tell the whole story.

"There's an entire food chain and a lot of these guys are bottom feeders, they take on different roles in that ecosystem," he said.

"Some of them specialize in health data, and others just specialize in hacking into systems but they don't really understand what to do with that health data. So they simply hand it off to the next person in the chain."

So while the files have not appeared for sale, that's not to say specific information — dates of birth, social insurance numbers — has not already been sold.

System improvements and lingering questions

eHealth said it has since taken steps to protect patient information and limit the impact on health services.

Password protocals have been changed, protection software has been updated and multi-factor authentication has been introduced for some systems.

"Lessons learned in the ransomware incident will be incorporated in eHealth's previously existing multi-year plans to strengthen disaster recovery and business continuity planning," the official said.

Popa said this is entirely in keeping with what other health organizations have said after such a breach.

He said it disguises larger issues.

"Most organizations say, look, we've seen the ransomware note. We haven't been able to work for the past two days but we refuse to pay the ransom and now we've recovered the data from back-up and we have done whatever it takes to secure the system," he said.

This draws attention away from the fact that the information was stolen.

"In this particular case, because we don't know what information was stolen and what access was used, it could be even worse in the sense that the information that is still there might have been modified without the knowledge of the organization."

The eHealth official said there is no suggestions files were modified, but that the investigation is ongoing.

CBC
Police identify man who plunged to his death from balcony
Toronto police have identified a man who plunged to his death from an eighth-floor balcony downtown late Wednesday in the city's latest homicide.Ryan Williams, 38, of Toronto, fell from a balcony just before midnight at a highrise in the area of Church and Shuter streets, police said in a news release on Thursday.Paramedics say they transported a man to a trauma centre. He was pronounced dead in hospital, according to police.Williams is the city's 24th homicide victim of the year.Police have sai
a day ago
CNN
Secret Service says agent on Harris’ detail was removed from assignment after distressing behavior
A Secret Service agent assigned to Vice President Kamala Harris’ detail was removed from their assignment after displaying behavior that colleagues found “distressing,” the agency said.
14 hours ago
People
“Call Her Daddy'”s Alex Cooper Models Her Wedding Night Lingerie in Instagram Reveal: See the Racy Look
Cooper wore a sexy lacy bodysuit from SKIMS' Wedding Shop collection after marrying Matt Kaplan in Mexico
2 days ago
Cosmo
Sabrina Carpenter looks practically naked in completely see-through lace mini dress
Sabrina Carpenter went braless wearing the Mirror Palais Anemone Dress in butter featuring illusion tulle adorned with lace appliqués along the neckline and hem
a day ago
HuffPost
Jamie Raskin Suggests Fitting New Home For 'Partisan' Supreme Court In Blistering Take
The House Democrat named the "most astonishing" thing he heard from one justice after the court heard arguments on Donald Trump's immunity claim.
7 hours ago
Yahoo News UK
Pensioner who worked at Clarks for 68 years given boot with two days' notice
Jill Cornick, 82, is out of work for the first time in her life after being told the Clarks shop she worked in since 1956 in Dorset was closing.
5 hours ago
HuffPost
Ex-Trump Lawyer Spots Donald Trump’s ‘Big Mistake’ That Will ‘Make His Campaign Cringe’
“That just brings back all those bad memories about that issue," Jim Schultz told CNN's Jake Tapper.
9 hours ago
Reuters
Trump's three US Supreme Court appointees thrash out immunity claim
When the U.S. Supreme Court ultimately rules on Donald Trump's claim of presidential immunity from prosecution, a third of those deciding the matter will be justices he appointed to their lifetime posts. Those three - Amy Coney Barrett, Brett Kavanaugh and Neil Gorsuch - posed questions from various angles as the nation's top judicial body heard arguments on Thursday in a case that provides a vital test of the power of the presidency. A key question, Gorsuch said, is "how to segregate private from official conduct that may or may not enjoy some immunity."
19 hours ago
HuffPost
Harvard Law Professor Offers Scathing Summary Of SCOTUS-Trump Arguments
Laurence Tribe pulled no punches over what he described as a “shameful performance by the court.”
6 hours ago
CNN Business
Right-wing media ruptures over Marjorie Taylor Greene’s threat to oust Mike Johnson
As Greene threatens to oust House Speaker Johnson over his support for Ukraine aid, a rift has ruptured in the MAGA Media landscape.
5 hours ago
Cosmo
Kylie Jenner just revived the naked brow trend and she looks like a woodland fairy
Kylie Jenner shares Instagram selfies of her new bleached eyebrow look for 2024. She looks so different, with the ash-blonde look.
6 hours ago
The Daily Beast
Judge Upholds Trump’s $83 Million Defamation Verdict
Reuters/Brendan McDermidA federal judge in New York upheld a defamation verdict against Donald Trump, keeping him on the hook for the $83 million he owes E. Jean Carroll, the writer who accused him of sexual assault.Trump had motioned to receive a new trial, but Judge Lewis Kaplan rebuffed that effort, determining nothing was wrong with the first one that ruled against him.The decision affirms that Carroll suffered harm from Trump publicly railing against her in 2019, as she went public with her
20 hours ago
CBC
Makeshift slaughterhouse in a residential garage points to growing concerns about illicit meat sales
Inside a garage in an established Edmonton neighbourhood, animals were being slaughtered and the meat was advertised for sale to consumers, a CBC News investigation has learned.Police entered the rented garage in the quiet residential Woodcroft community in February 2023. Images shared with CBC News show piles of goat carcasses, tubs of blood and the remains of a skinned baby goat on a makeshift slaughter table.Neighbour John Bos told CBC News that the sounds of bleating goats first alerted him
22 hours ago
InStyle
Prince Edward and Duchess Sophie Feel Disappointed by King Charles Royal Title "Snub"
The "chosen ones" are reportedly sad they didn't get new roles after Prince William and Kate Middleton's latest appointments.
a day ago
Kansas City Star
Not everything about the NFL Draft is about football. See Gracie Hunt’s Chiefs dress
Gracie Hunt, the daughter of Chiefs CEO Clark Hunt and his wife, Tavia, marked the first day of the NFL Draft by posting photos of herself in team colors.
23 hours ago
People
All About Okla. Family Murder-Suicide, Where Dad Killed Wife, 3 Sons Before the Last Surviving Child Called 911
Jonathon Candy, 42, fatally shot his wife, Lindsay Candy, 39, and three of their four children, ages 18, 14, and 12, on April 22, before dying by suicide
23 hours ago
USA TODAY Sports - Golfweek
Is Jon Rahm having an existential crisis? He’s certainly going off his LIV Golf script a bunch
Rahm keeps wandering off the script, especially in the last month.
4 hours ago
Hello!
Princess Charlotte's secret hidden talent revealed by mum Princess Kate
Princess Charlotte will be celebrating her 9th birthday next week, and she has a cool hidden talent! Her mum Kate Middleton recently opened up about her hobby...
a day ago
USA TODAY
A longtime 'Simpsons' character was killed off. Fans aren't taking it very well
"The Simpsons" has killed off a long-time character who was a regular at Moe's Tavern. Fans are mourning the loss online.
14 hours ago
Hello!
Palace feared Prince William and groomsman Prince Harry would 'pass out' at royal wedding
Buckingham Palace put contingencies in place to ensure the Prince of Wales and his groomsman Prince Harry didn't pass out at Princess Kate's 2011 royal wedding.
11 hours ago

Latest Stories