The bad guys slipped the virus into the eHealth Saskatchewan computer system on Dec. 20. For the next 17 days, it crept undetected through the network, copying some of the most sensitive health and personal information collected by government.
This massive intrusion stopped Jan. 6, but not because the cyberthieves were caught. That's when the shakedown began.
Employees trying to access information that morning were met with encrypted files and a demand for payment in bitcoin to unlock the records.
Now, five months later, eHealth admits it still doesn't know exactly what information was taken, who took it, where it went or what it's being used for.
Toronto cybersecurity expert Claudiu Popa said anyone with a Saskatchewan health card should be alarmed.
"The worst case scenario is a scenario in which we don't know what was taken," he said in an interview.
"Best practices in our industry, in the security industry, dictate that if we don't know what was taken, we have to assume that everything was taken."
Popa is the author of the Canadian Cyberfraud Handbook and a certified information privacy professional. Officials with eHealth Saskatchewan declined to be interviewed about the ransomware attack. Instead, it emailed responses to questions.
Popa viewed these answers and offered his professional assessment of what happened and the implications for the future.
A high value target
Popa said health agencies are popular targets for cyberthieves, because they collect and stockpile sensitive information.
"That's where the bad guys want to break in because they want to do as little work as possible for as much gain," he said.
"That gain can be hundreds of thousands, or maybe even millions of data records as we've seen in many other health care data breaches. So these are very valuable."
He said this information could be used to extort individuals by threatening to reveal sensitive medical test results. Or, data such as health card or social insurance numbers could be sold and used for identity theft.
This sort of information is now online in Saskatchewan. In October 2019, eHealth introduced MySaskHealthRecord, a system where individuals can securely view test results and clinical visits histories.
Popa said most health organizations realize the value and sensitivity of the information and they secure it to the best of their ability.
"Sometimes it just comes down to the weakest link," he said.
"Sometimes it's as simple as clicking on an infected email link."
Mechanics of the attack
eHealth confirms in its emails that there were two aspects to the ransomware attack.
One saw the thieves copy files and then send them to a series of IP addresses, at least four of which have since been traced to Europe. Those files were encrypted and password protected.
The second involved the attackers encrypting the original files in the eHealth system. They are demanding ransom on two fronts, to regain control over files in two locations.
eHealth said it has not paid any ransom to unlock these files. Rather, it's relying on back-up files. But it's a challenge without knowing exactly what was copied.
"eHealth continues to work with the owner of the files (Saskatchewan Health Authority) to determine the exact content of the files sent to these suspicious IP addresses," a spokesperson said in an email.
The official added that eHealth has hired specialized firms to determine if any files have been illegally offered for sale.
This sort of information is often sold on the "dark web," internet sites that use software to provide anonymity and are not found on search engines. The official said that no such activity was found with the Saskatchewan data.
Popa said this may not tell the whole story.
"There's an entire food chain and a lot of these guys are bottom feeders, they take on different roles in that ecosystem," he said.
"Some of them specialize in health data, and others just specialize in hacking into systems but they don't really understand what to do with that health data. So they simply hand it off to the next person in the chain."
So while the files have not appeared for sale, that's not to say specific information — dates of birth, social insurance numbers — has not already been sold.
System improvements and lingering questions
eHealth said it has since taken steps to protect patient information and limit the impact on health services.
Password protocals have been changed, protection software has been updated and multi-factor authentication has been introduced for some systems.
"Lessons learned in the ransomware incident will be incorporated in eHealth's previously existing multi-year plans to strengthen disaster recovery and business continuity planning," the official said.
Popa said this is entirely in keeping with what other health organizations have said after such a breach.
He said it disguises larger issues.
"Most organizations say, look, we've seen the ransomware note. We haven't been able to work for the past two days but we refuse to pay the ransom and now we've recovered the data from back-up and we have done whatever it takes to secure the system," he said.
This draws attention away from the fact that the information was stolen.
"In this particular case, because we don't know what information was stolen and what access was used, it could be even worse in the sense that the information that is still there might have been modified without the knowledge of the organization."
The eHealth official said there is no suggestions files were modified, but that the investigation is ongoing.