Haggie said a cyberthreat report raised 'no red flags.' Now it appears he didn't actually read it.
John Haggie does not appear to have read a 2020 threat assessment that he publicly said last year "highlighted no red flags" about the state of health-care cybersecurity in Newfoundland and Labrador.
Recent court filings by the government have revealed previously redacted details of that report, which warned of "significant IT vulnerabilities."
The province's health-care system suffered a devastating cyberattack by a ransomware group in the fall of 2021.
This week, CBC News asked Haggie, now the minister of education, how he would now characterize those warnings about "significant" vulnerabilities, in the context of his past "no red flags" comment.
"The issue of 'no red flags' was words that were supplied to me by NLCHI [the Newfoundland and Labrador Centre for Health Information] at the time," Haggie replied.
"They had that report. My recollection of it is that we took that with Health and Community Services at the time, and have gone to Treasury Board over the course of the period subsequently to look for increased investment. My memory is a little hazy now as to exactly what that was, but I do recall making some comments about increased investment in IT and security."
Did he read the document?
"I was presented with a summary at the time and that's where the 'no red flags' came from," Haggie replied. "Part of that was verbal."
So he made those comments about "no red flags" and no issues of concern based on what somebody had summarized for him, not from his primary source reading of this document?
"It was from a summary from NLCHI provided to me," he said.
Haggie noted that, in the health portfolio, "you get a lot of summary documents, and you trust the information that you're given."
Haggie referenced the 2020 cybersecurity threat assessment when speaking with reporters last May, to rebut a CBC Investigates story.
Israeli cyberexperts who reviewed information security arrangements at Eastern Health confirmed "numerous vulnerabilities, security concerns and compliance issues" that needed to be addressed within its network.
The details were in a business plan prepared for the health authority in September 2020 and obtained by CBC/Radio-Canada.
Haggie — then health minister — minimized the significance of that report's findings, describing it as "a business development proposal."
At the time, Haggie told reporters he independently asked NLCHI for a threat assessment of cyber systems in September 2020 — around the same time the Eastern Health report was completed.
"I received a threat assessment which highlighted no red flags," Haggie said.
CBC News subsequently requested that threat assessment through provincial access-to-information laws.
It was titled "Ransomware: Threat and Mitigation Plans." Portions were blacked out in the response provided to the CBC.
But last week, the government wiped off some of that black ink in documents it filed at court to stop the privacy commissioner from having any continued role in investigating the 2021 cyberattack.
Among the sections of the 2020 threat assessment revealed by the government in court:
"Significant IT vulnerabilities exist, with new vulnerabilities identified daily such as outdated OS, unpatched systems, software flaws."
"NLCHI, under the existing mandate, will require significant effort to elevate all eHealth IT environments to an acceptable level of security."
CBC News asked Haggie this week whether he believes his "no red flags" comment is still accurate, given what is now known about those details of that assessment.
"I think the investigation from the privacy commissioner and the reports that [the Department of Justice] and [Justice] Minister Hogan will get will help clarify that," he replied.
WATCH | John Haggie questioned about past comments on cyber threat assessment:
The privacy commissioner has since stepped back from his office's ongoing cyberattack probe, saying he wanted to avoid a lengthy and expensive court proceeding and avoid any further delays in releasing the report.
The commissioner has delegated his authority to conduct and conclude the investigation to other officials in his office.
At this point, there is no date set for the release of the report.