Saskatchewan's information and privacy commissioner says the confidential health information of Saskatchewan people could "be floating around the dark web right now for sale to the highest bidder" because of a host of preventable, critical failures in the province's eHealth IT system.
In a damning report released Friday, Ron Kruzeniski says a ransomware cyber attack in December 2019 allowed criminals to steal millions of files, including more than half a million containing personal information of Saskatchewan people.
While the files haven't yet been released publicly, Kruzeniski says they could be at any time.
"I am also troubled that at this moment citizen's data could have been sold to fund criminal activity or purchased by the worst of humankind for nefarious purposes," he wrote in the 51-page report.
eHealth is a Crown corporation responsible for operating, maintaining and renewing all computer systems that serve the health-care sector, from diagnostics to pharmaceuticals to patient records.
Could have been prevented says commissioner
The trouble began when a Saskatchewan Health Authority employee opened an email on a personal tablet that was connected by USB to an SHA computer. That enabled a virus to infect the computer and ultimately eHealth's systems, allowing the millions of files to be stolen.
The commissioner's review uncovered many ways eHealth, the SHA and the Ministry of Health failed to adequately protect the private information of Saskatchewan people.
He says eHealth systems alerted staff about the breach shortly after it happened in late December 2019, but failed to thoroughly investigate.
Kruzeniski says a proper review "may have prevented the malicious extraction of data that followed."
eHealth asked SaskTel to conduct an investigation into the incident and examine eHealth's overall security system.
A 'hodge podge' of computer systems
He said that review "outlined some very troubling weaknesses".
According to SaskTel's report dated May 4, 2020, investigators found that eHealth didn't have an accurate list of its servers. This made it difficult for eHealth to secure its information.
"eHealth holds the most sensitive information of the citizens of this province," said Kruzeniski. "The fact that eHealth needed to 'cobble together' an inventory of servers in order to respond to an ransomware attack is incomprehensible."
SaskTel also found that eHealth's security system consists of a "hodge podge of unintegrated security solutions being deployed, in various configurations, being operated in various parts of the organization and any attempts to improve the overall security posture of the organization met with resistance and often futility to the point where staff are frustrated and defeatist."
The SaskTel report also described what appear to be messy internal relationship problems.
Kruzeniski said that instead of eHealth employees working together, "you instead find pockets of power which are wielding that power to their own advantage to the detriment of the overall success of the eHealth mandate."
"eHealth should be operating in a cohesive and collaborative manner and not following a governance model which potentially allows for an egocentric and power based approach," he wrote.
On top of all this, the report says eHealth doesn't have the personnel or the authority to do the job the province is asking it to do.
The commissioner notes that eHealth responded to his draft report him by saying SaskTel's findings were "unverified allegations and opinions based on information obtained from a small group within eHealth."
Kruzeniski wasn't persuaded by that, noting that eHealth had commissioned the report and provided it to his office without raising any concern about its contents.
'Excessive delay' in public notification
He chastised eHealth, the SHA and the Ministry of Health for long delays in properly informing the public about these breaches.
eHealth reported the attack publicly in January 2020. However, it took the Ministry of Health and the SHA until Dec. 22, 2020, to notify the public that information those organizations control had been involved. By that point, they had received the commissioner's draft report.
"The SHA and Health failed in their notification efforts due to the excessive delay in providing notification," he said.
Among his many recommendations, Kruzeniski said the Saskatchewan government needs to launch a top to bottom review of eHealth, including its governance, management and programs.
Minister of Health Paul Merriman agreed with this recommendation at a news conference Friday and said he takes this report very seriously.
"Everything about what happened at eHealth is concerning to me," Merriman said. "At the end of the day the responsibility is mine."
He said he will also be asking his deputy minister to review how things went so wrong.
In addition to the problems identified in Kruzenistki's report, there are financial concerns.
Last year CBC obtained an internal eHealth memo showing that much of its hardware and software is out of date and can no longer be updated. The memo said the organization has an urgent need for a $150-million injection to bring its systems up to day.
"There are some governance issues, there potentially could be some cultural issues in there and there could be some financial," said Merriman. "So I have to look at all of those to see what it is that I can do in the short term and the long term to make sure that eHealth is functioning at its best."
He said he will be examining the performance of the board and senior management starting Friday afternoon and continuing Monday morning.
"I would say that there seems to be a problem and it starts at the top."
The NDP opposition said the minister should be pointing fingers at his own government.
Vicki Mowat said the government has known for years that there were severe problems at eHealth.
It has been warned about problems with IT security by the provincial auditor on a regular basis, she said.
Mowat said she's disappointed the government had to be forced by Kruzeniski's report to be straight with Saskatchewan people about the extent of eHealth's failure.
"It shows that they deliberately sat on information about people's public health information being compromised instead of being up front," Mowat said.