Saskatchewan’s privacy czar blasts province’s handling of 2019 cyberattack
Kruzeniski fears residents’ data could be on sale ‘to the highest bidder’
REGINA — On Dec. 20 2019, a Saskatchewan Health Authority employee opened an email attachment that appeared to be from a job search company — inadvertently triggering one of the largest privacy breaches in the province’s history.
The attached Microsoft Word document was infested with malware that coursed through the employee’s tablet, up the attached USB cable and into their work station, where it proceeded to infect Saskatchewan’s entire health system.
More than a year later, a report from Saskatchewan’s privacy czar shows that eHealth, the government agency that stewards electronic records, failed to take steps to contain the breach when it began and that the health system was woefully unprepared for such an attack.
Information and Privacy Commissioner Ron Kruzeniski wrote that at least 547,145 files containing personal health information of Saskatchewan residents were compromised, but that the true extent of the damage may never be known.
“This investigation has troubled me in several ways,” Kruzeniski wrote in his 51-page report.
“I am troubled that any citizen of this province that reads this Report could unknowingly have their personal information or personal health information floating around the dark web right now for sale to the highest bidder. I am also troubled that at this moment citizen’s data could have been sold to fund criminal activity or purchased by the worst of humankind for nefarious purposes.”
Malware attacks are when hackers use infected files to gain access to data. In recent years, the digital saboteurs have been targeting health care systems, usually threatening to sell residents’ personal information on the internet if governments don’t pay what is demanded.
Such a demand was received by eHealth on January 5, 2020, asking for payment in Bitcoin — a type of digital cryptocurrency. That’s when the attackers used ransomware to block access to files across the health system. It was the first time officials learned of the attack.
“The final price depends on how fast you write to us,” reads part of the demand, as noted in Kruzeniski’s report.
When eHealth did not pay, hackers used ransomware to restrict access to more than 50 million health system files, essentially holding them hostage. An original scan determined 5.5 million of those files contained personal health information, although a tool developed by eHealth identified just 547,145 that may have been infected. According to Kruzeniski, the real number was inconclusive.
What is known is that between Dec. 20, 2019 and Jan. 5, 2020, approximately 40 gigabytes of data was whisked away to three IP addresses: two in Germany and one in the Netherlands. It is not known what is in them.
At the time, eHealth responded by gradually backing up its system, restoring copies of the information that was otherwise under lock and key. But Kruzeniski found critical opportunities to contain the breach were missed.
One was on Dec. 23, when a threat analysis tool detected suspicious activity. The employee was alerted and told to change their password, but no closer followup was done.
“Asking an employee to change their password when there is a background threat is like changing the locks to your door while the burglar is still inside — it’s pointless,” Kruzeniski wrote.
More could have been done, eHealth acknowledged, but the agency argued that the campaign was “very sophisticated” and that the type of malware had not been identified by global antivirus systems.
Kruzeniski’s investigation also found more systemic issues, including a lack of sufficient security training for employees and long-held concerns about the state of eHealth’s security system. His investigation was delayed, he wrote, by slow responses from affected agencies who did not provide him with timely data. He determined that the Saskatchewan Health Authority, Ministry of Health and eHealth had failed to adequately notify Saskatchewan people of the risk to their data and that eHealth’s had failed to protect the data of Saskatchewan people.
He concluded his report with advice, including recommendations that the government monitor the internet for at least five years in case compromised data surfaces. He also recommended that the SHA and the ministry provide identify theft protection to any individual whose data appears.