eHealth ransomware ‘one of the largest privacy breaches’ in Saskatchewan history

Saskatchewan’s privacy commissioner has confirmed that last year’s eHealth ransomware attack resulted in one of the biggest privacy breaches in the province’s history.

In a report issued Friday, Information and Privacy Commissioner Ron Kruzeniski outlined how it happened.

On Dec. 20, 2019, a Saskatchewan Health Authority (SHA) employee opened an infected file from an email on their personal device. Because it was connected to an SHA computer, the infected file was able to execute ransomware on the computer, and a “multi-phase exploit” took place for more than two weeks, which affected fileshares on the network that holds around 50 million files belonging to eHealth, SHA, and Health Ministry documents.

On Jan. 5, 2020, the attackers started making demands.

On Jan. 21, 2020, eHealth discovered that malicious users in Germany and the Netherlands had extracted about 40 gigabytes of encrypted data. Work done by eHealth eventually determined that more than 547,000 files may have been accessed that contain personal information, personal health information, or both.

The report notes that the SHA employee and eHealth had three opportunities where the ransomware could have been detected sooner. Kruzeniski found eHealth’s should have more fully investigated two “early threat occurrences” that could have prevented the data extraction, and that the SHA and the Health Ministry failed to notify residents in time because of eHealth’s “excessive delay” in notifying them of the situation.

“eHealth is charged with collecting, storing and protecting the most sensitive health data in our province,” Kruzeniski wrote. “Each of us has personal health information in eHealth’s systems. It is absolutely reasonable that each citizen demand the very highest level of security on our health information. To accept less is irresponsible.”

Kruzeniski made several recommendations to prevent a similar situation, including:

• That eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected;
• That the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts;
• That eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection;
• That eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats;
• That all eHealth and eHealth partners be required to complete cyber security and privacy refresher training on an annual basis; and
• That the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report.

In the immediate aftermath of the discovery of the ransomware last January, eHealth initially claimed no breach occurred; that claim was walked back a few weeks later. In anticipation of Kruzeniski’s report, the province admitted in a news release on Dec. 22, 2020 that it could not confirm that private information was accessed.

Health minister acknowledges ‘troubling findings’

In a statement issued Friday afternoon, the health minister recognized that the attack was mishandled.

“Saskatchewan people expect their personal health information to be secure and protected,” Paul Merriman said in the statement. “The report issued today by Mr. Kruzeniski contains several troubling findings and recommendations regarding the data breach and subsequent events, and details a number of shortcomings on behalf of eHealth, the Saskatchewan Health Authority and the Ministry of Health.

“Our government takes these findings and recommendations seriously and will commence work to address them immediately.”

The release said Merriman has ordered an internal review into the decisions made by the ministry and the SHA that resulted in the delay in notifying the public. It also notes that “action will soon be announced” regarding Kruzeniski’s recommendation to review eHealth’s governance, management and program operations.

The release also commits to providing responses to each of the 25 recommendations within 30 days, and quarterly updates will be provided to the privacy commissioner on the ongoing work.

Merriman says even though the ministry and the SHA are already extremely busy dealing with the COVID-19 pandemic, he expects officials will meet those timelines.