Hackers stole personal information connected to both patients and employees in the Eastern Health and Labrador-Grenfell Health regions of Newfoundland and Labrador's health-care system as part of a recent cyberattack, according to officials.
The information was accessed through the province's Meditech data repository, which includes a patient information database as well as core communication tools, such as email.
According to government officials, the breach includes basic information collected when a patient registers for an appointment — including names, birthdays, addresses, email addresses and phone numbers, medical care plan (MCP) numbers, the name of the person's family doctor, marital status and in- and out-patient times. There is no indication that vendor information was included in the breach, according to Health Minister John Haggie.
The attackers were also able to access information connected to Eastern Health employees who worked within about the last 14 years and Labrador-Grenfell Health employees from about the last nine years.
WATCH | Premier Andrew Furey speaks with the CBC's Katie Simpson about the data breach on Power & Politics:
That breached information includes names, addresses, contact information and social insurance numbers. Haggie said there is no indication that banking information was included in the breach.
Eastern Health CEO David Diamond said anyone who has been an Eastern Health employee over the last 14 years should assume their data has been stolen. The province's health authorities are "devastated" the breach occurred, he said.
Diamond sympathizes with those who feel their information may now be in nefarious hands.
"The personal health information that is available in the registration conversation is limited, but it is there," he said.
Diamond said the province's health authorities do have insurance to cover losses brought on by ransomware or a cyberattack, but added there are no estimates yet as to what the attack could cost the province.
Obtained data was unencrypted, officials say
According to officials from the Newfoundland and Labrador Centre for Health Information, attackers obtained the data in an unencrypted state, meaning it was not locked behind a safety measure. It's unclear how many people are affected; systems storing the information have not yet been restored.
Officials say they believe no information was accessed in the Western Health region of the province, while an investigation in the Central Health region continues.
The government says the provincial Office of the Information and Privacy Commissioner has been contacted on the matter, along with the Canadian Centre for Cybersecurity and the Royal Canadian Mounted Police.
"This is not someone else's problem. This is everyone's problem. An attack on one is an attack on all," said Premier Andrew Furey during the news conference held Tuesday afternoon.
Watch the full briefing here:
Furey said a public notification process is now underway, which will include what steps people can take to protect their information — like monitoring banking and financial information for unusual activity. Material will be available online for the public to view by 6 p.m. NT, with a toll-free phone system launching Wednesday morning.
"This is the largest cyberattack in Newfoundland and Labrador's history for sure, and certainly among the largest that we've heard about in Canada." - Michael Harvey
In an interview with CBC News following the announcement, Newfoundland and Labrador Information and Privacy Commissioner Michael Harvey said it's unclear how much data is in the hands of hackers — calling the attack an interest of national security.
"This is the largest cyberattack in Newfoundland and Labrador's history for sure, and certainly among the largest that we've heard about in Canada," Harvey said.
He said his biggest concern would be preventing identity theft using the data, something that can be addressed through the use of credit monitoring services.
The province says it's ready to help with that.
"Anyone could use this information, any information they have, to steal someone's identity. They could be on the other side of the country, any parts of the world," said Justice Minister John Hogan.
"Just by checking your credit report, you will see if that information is being used. You'll be aware of that, you can call the banks, you can call the police, you can have it dealt with before anything of severe consequences happens."
Harvey also recommended proper "Internet hygiene," frequently changing passwords where applicable and avoiding phishing emails that could make a person a further target of an attack.
Haggie said the province is trying to be as open as possible about the attack but that officials are limited in how much they can say at this time.
"We're trying to be as open and transparent as possible," he said. "But we also need to be cautious about the third party watching. Literally, watching as we're doing [this] right now."
Harvey said the attack is a great concern, but is confident government is taking the appropriate steps to try to contain any further breach.
The update comes 10 days after the cyberattack shut down health-care services across the province.
Emergency services have continued throughout, and chemotherapy and radiation treatments have resumed across the province.
The government has not acknowledged whether the attack was ransomware. Ransomware attacks involve malicious software that accesses and prevents the use of critical computer files followed by a demand for payment to restore those files.
Meanwhile, the province's COVID-19 travel form and self assessment tool have been restored and can now be accessed online. Healthcare workers are also working to rebook appointments for patients impacted by the attack, with a specific emphasis on cancer patients.