ST. JOHN'S, N.L. — The Newfoundland and Labrador government revealed Tuesday that whoever was behind a cyberattack that has hobbled its health-care system managed to obtain personal information of patients and employees.
Government officials told a briefing that some patient and employee information from two health authorities was accessed through an online data repository. They don't know how many people were affected.
"Through the course of the investigation thus far, it has been determined that some personal information and personal health information has been accessed," Premier Andrew Furey told a news conference in St. John's. "I know that that sounds alarming and frightening. We do know that there is no indication that the personal information or personal health information has been misused."
He said there was no evidence banking information had been accessed. "The appropriate authorities have been contacted and are on the case," Furey said.
Officials at the briefing said the employee information accessed included names, addresses, contact information, employee identification numbers and social insurance numbers. Patient information included health card numbers and providers, reasons for visiting health-care facilities, phone numbers, marital status and maiden names.
The information accessed from the eastern health authority goes back about 14 years, they said, and the data accessed from the Labrador-Grenfell Health authority goes back about nine years.
"I think this is quite a serious breach," said David Diamond, chief executive officer of the eastern health authority. "We're in no way suggesting that this information is not quite significant and serious."
Security experts have questioned why the Newfoundland and Labrador government has released few specifics about the cyberattack since it was detected Oct. 30.
Officials have so far refused to say what kind of an attack the province is facing and whether the hackers involved have asked for money. Outside experts say it has all the signs of a ransomware attack, in which hackers infiltrate an information technology network and demand payment in return for restoring access.
Brian Honan, the head of Ireland's Computer Security Incident Response Team, said government representatives in that country were on national radio the morning after a similar attack was discovered last May, "telling people what happened, how it happened, what the impact would be."
"They came up very early and said they would not be negotiating with criminals, they would not be paying the ransom demand and they will be looking to restore systems as quickly as possible," Honan said in a recent interview.
People were worried about their private information being published by the hackers, and the government's transparency helped them understand what to expect, he said.
The attack in Newfoundland and Labrador affected what Health Minister John Haggie described as the "two brains" behind the provincial health network's data centre. Without access to such things as basic email, diagnostic images and lab results, the eastern health authority — which includes several major hospitals in St. John's — was left operating largely with pen and paper and running only emergency services.
Thousands of medical appointments have been cancelled, though the health authority has been able to resume some cancer care, such as chemotherapy and radiation.
Brett Callow, a British Columbia-based threat analyst for Emsisoft, an international cybersecurity firm, said there could be "very good reason" for the Newfoundland and Labrador to keep quiet, even 11 days after the attack was first discovered.
"For example, they may not be sure that the attackers are not still in the network," Callow said in an interview Monday. "And they don't want to say anything that could antagonize them or give them a heads-up as to what mitigations may be in progress."
Ontario-based health-care cybersecurity expert Anne Genge agrees it is curious to have so little information at this point, but said there are many factors for governments to consider in attacks like the one facing Newfoundland and Labrador. If the hackers have threatened to publish health-care information, that makes the considerations all the more complicated, she said.
"Health information is really the most sensitive and potentially embarrassing information about an individual," Genge said in an interview Tuesday. "Because you have treatments, diagnoses, your medications, mental health status, your sexual preference." That information can be used to discriminate again people, or event extort them, she said.
This report by The Canadian Press was first published Nov. 9, 2021.
Sarah Smellie, The Canadian Press