The ransomware attack on eHealth Saskatchewan in 2019-20 is being called one of the largest privacy breaches in the province.
Ron Kruzeniski, Saskatchewan’s Information and Privacy Commissioner, included the Saskatchewan Health Authority (SHA) and the Ministry of Health as victims in the attack that happened in late December 2019 and early January 2020.
At least 547,145 files containing personal information, including health records, were exposed during the ransomware attack.
During the investigation, eHealth told the commissioner that the affected servers contained about 50 million files across eHealth, SHA and the ministry.
Through a metadata scan, eHealth identified that about 5.5 million files may have contained personal information.
Sask eHealth developed a tool to scan the 5.5 million files, which narrowed the affected records to 547,145, depending on the accuracy of its scanning tool.
“Only 3,000 of the 5.5 million files were manually checked by eHealth, Health and the SHA to determine the accuracy of the tool. Therefore, I am not able to comment on how accurate the tool is,” Kruzeniski said in his full report of the investigation.
“However, because the data that was extracted was encrypted, eHealth, the SHA or Health will never know what personal information or personal health information of the citizens of Saskatchewan has been stolen by the malicious actors.”
The ransomware attack began on Dec. 20, 2019, when an SHA employee opened an infected Microsoft Word document from a personal account on a personal device while it was being charged by a USB at a work station.
It led to a Ryuk ransomware attack on Jan. 5, 2020, and on Jan. 21. eHealth found the files were disclosed to malicious internet protocol (IP) addresses in Germany and the Netherlands. About 40 gigabytes of encrypted data was taken.
Ryuk is a type of crypto-ransomware that blocks access to a system, device or file until a ransom is paid.
eHealth was told to pay the ransom in bitcoins with the amount increasing every day until it was paid. However, eHealth never paid the ransom because of the uncertainty of whether or not they would ever retrieve the files.
Kruzeniski said the Ministry of Health learned that some of its files had also been exposed to the ransomware attack on June 2, 2020, but did not notify the privacy commissioner’s office until Sept. 15, 2020.
“In June, Health should have immediately issued a news release. I am concerned as to why Health and the SHA took this long to inform the public and why eHealth took this long to provide an update to the public,” Kruzeniski said in the report.
Kruzeniski said IPC said eHealth missed out on a few opportunities to detect the attack at an earlier time that would have allowed eHealth to shut down its system and stop the extraction of data.
IPC found that eHealth failed to fully investigate two early threats and failed in its notification efforts.
Kruzeniski also said SHA failed to provide adequate training to the employee who had opened the Word document leading to the attack.
“Each of us has personal health information in eHealth’s systems. It is absolutely reasonable that each citizen demand the very highest level of security on our health information. To accept less is irresponsible,” Kruzeniski said.
“Because we are dealing with the most sensitive personal health information, every person who has access to this information needs to be trained, retrained and trained again as to the things they can do and especially the things they cannot do.”
SHA interviewed the employee and confirmed privacy training had been provided, but did not receive training on the SHA’s Acceptable Use of Information Technology.
The employee was found to have not done anything with ill intent.
Kruzeniski made a number of recommendations to eHealth, SHA and the ministry.
- that eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected
- that the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts
- that eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection
- that eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats
- that all eHealth and eHealth partners be required to complete cybersecurity and privacy refresher training on an annual basis; and
- that the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report
“eHealth, the SHA and Health have begun to take the necessary steps to ensure they are protecting the personal information and personal health information of the citizens of this province,” Kruzeniski said.
Judy Ferguson released her Provincial Auditor of Saskatchewan 2020 Report–Volume 2 on Dec. 8.
In it, she said eHealth needs to do more when it comes to controlling and monitoring IT network access and testing disaster recovery plans.