Canadian Security Magazine

News Data Security Health Care
More than 200,000 additional files were accessed: Eastern Health

The government has refused to provide any details about the nature of the cyberattack — including whether or not the hackers demanded a ransom.


By Peter Jackson, Local Journalism Initiative Reporter

THE TELEGRAM

Five months after Newfoundland and Labrador’s health-care system was hit by a cyberattack, authorities are still discovering banks of files that have been compromised by the hackers.

In December, health authorities announced that social insurance numbers of 2,541 patients — living and deceased — were accessed. They had originally thought only employee information was compromised.

Advertisement

On Wednesday morning, March 30, Eastern Health chief executive officer David Diamond told reporters more breaches have been discovered.

“We’ve since determined that additional information was taken during this incident,” he said, adding later the revelation first surfaced at the end of February.

“Over 200,000 files were taken from a network drive at Eastern Health’s IT environment, and a portion of that may contain patient information and employee information.”

Diamond could not say how many people have been affected, as investigators are still manually combing through the files, but admitted “it could be thousands.”

He emphasized that financial information has not materialized in the files so far, but they may contain medical diagnoses, procedure types, MCP numbers and human resources information.

Diamond said Eastern Health wanted to come forward publicly before affected patients and staff are notified so people are not caught off guard if they receive a letter.

General questions about the breach can be answered by calling a toll-free line — 1-833-718-3021 — but Diamond said callers cannot obtain any specific personal information through that service.

Credit monitoring services for affected parties were set up in October 2021 through Equifax Canada, and Health Minister Dr. John Haggie said the contract has plenty of capacity to take on new
clients as they are identified.

As of March 20, Haggie said, 2,270 health clients and 13,366 current and former health authority employees have registered with Equifax. The deadline for enrolment has been extended to the end of 2022.

“We deeply regret that this incident has occurred,” Diamond said.

He said some of his own personal emails have surfaced on the “dark web,” but he’s so far unaware of anyone being negatively affected by the breach.

“We’re not aware that any of this information has been misused.”

The government has refused to provide any details about the nature of the cyberattack — including whether or not the hackers demanded a ransom — and Haggie defended that stance again Wednesday.

There are certain security elements around this and we have involved national agencies, and we’ve been advised there should not be any answers to questions like that,” he said.

He did say some agencies, including law enforcement and the privacy commissioner, will likely issue final reports at some point.

The minister could not offer a tally of the cost to the province, so far, of restoring the system.

Meanwhile, the Official Opposition has decried what it considers to be a serious lack of transparency on the part of the government.

“The minister of Health waited over a month to inform the province that over 200,000 records, including personal medical records, were taken by bad actors, impacting thousands of people,” said Progressive Conservative Interim Leader David Brazil. “Delayed transparency is not transparency, and the minister has not lived up to his duty to keep the people of our province informed about this
attack.”

Health critic Paul Dinn said when Ireland’s health system experienced a ransomware attack in May 2021, that government made redacted reports available to the public within months of the event.

“No such commitment has been made by the minister of Health in today’s update,” Dinn said, adding the government has learned nothing about the need for transparency since the Cameron Inquiry report into botched hormone receptor tests in cancer patients was released in 2007.

“Waiting a month to reveal this critical information does not live up to the standards set as a result of the Cameron Inquiry,” Dinn said.