Saskatchewan’s information and privacy commissioner is calling last year’s ransomware cyberattack on eHealth one of the province’s largest privacy breaches ever.
On Dec. 20, 2019, an SHA employee opened an infected Microsoft Word document on a personal device while the device was being charged by USB cord at their workstation.
Opening the document triggered a Ryuk ransomware attack between Dec. 20, 2019, and Jan. 5, 2020, a news release from privacy commissioner Ron Kruzeniski’s office published on Friday said.
Kruzeniski found the attack affected some 50 million files and about 5.5 million of those files may have contained personal information and/or personal health information.
“A minimum 547,145 files containing personal information and/or personal health information of citizens of Saskatchewan were either exposed to the malware or maliciously stolen from eHealth, SHA and [the ministry of] health,” the release said.
In total about 40 gigabytes of encrypted data was extracted. On Jan 21, 2020, eHealth discovered the files were sent to IP addresses in Germany and the Netherlands.
Kurzeniski concluded the information in the files was either exposed by the malware or outright stolen in one of Saskatchewan’s most significant privacy breaches ever.
“[The affected groups] have not been able to determine if it’s yours, or mine, or someone else’s,” Kruzeniski told CBC News.
“That is one of the added problems in this particular area, is the thieves have done it in such a way, how do you know exactly what they got?”
3 missed opportunities
The commissioner’s investigation found there were three critical opportunities where the ransomware could have been detected — two by eHealth and one by the SHA employee.
“Had these opportunities not have been missed, eHealth may have been able to detect the ransomware, shut down its systems and stop the extraction of data,” the release said.
He found eHealth did not give sufficient notification about the ransomware attack and that the SHA and Ministry of Health failed in their notification efforts because eHealth was too slow to notify them.
Kurzeniski said the employee who opened the infected email document had privacy-related training but ultimately lacked training in the SHA’s Acceptable Use of Information Technology Assets policy.
He said there were also previous warnings on the employee’s file that were not taken seriously by the employee or their bosses.
“New and better and bigger cyberattacks continue to occur,” he said, adding training in cybersecurity is a constant and ongoing process.
Independent review among calls
The commissioner made several calls for change on Friday, including requesting an independent review of governance, management and program from the minister of health based on concerns raised by the provincial auditor, SaskTel and his own report.
Kruzeniski called for eHealth specifically to conduct a comprehensive review of security protocols, and on the SHA and Ministry of Health to take immediate steps to provide mass notifications, including to media outlets.
He called on eHealth, the SHA and the Ministry of Health to work together to provide identity theft protection, including credit monitoring, to the affected individuals for at least five years in the event their information is found on the dark web.
He asked eHealth to review whether it should have 24-hour-a-day IT security staff in place to investigate potential threats in the future.
Kruzeniski called for eHealth and its partners to complete cybersecurity and privacy training on an annual basis.
“I think it’s extremely important that we as citizens expect that that work will be completed as soon as practical in the middle of a pandemic,” Kruzeniski said of his recommendations.
“I think it’s fair for us to accept that we should insist upon the highest standard of security when it comes to protecting the most sensitive information we have.”
eHealth released a report on the attack near the end of December and outlined some of the measures it was taking to boost security and prevent future ransomware attacks.