The provincial government says the privacy commissioner’s findings from the eHealth Saskatchewan cyberattack reported on January 10, 2020 is “deeply troubling.”
The report, completed by the Office of the Saskatchewan Information and Privacy Commissioner (OIPC), contains 25 recommendations directed to eHealth, the Ministry of Health and the Saskatchewan Health Authority regarding the data breach and subsequent events.
On Friday afternoon, Health Minister Paul Merriman said Saskatchewan residents expect their personal health information to be secure and protected, but admitted that expectation failed when eHealth’s systems were breached.
“Everything about what happened at eHealth is concerning to me,” stated Merriman. “At the end of the day, the responsibility is mine with what happens with people’s personal health information, and I don’t take that responsibility lightly at all.”
He noted how the government will commence addressing the report’s recommendations immediately.
A release by the government on Friday shares that a response to each individual recommendation will be provided to the OIPC within 30 days due to the technical nature of several recommendations. Quarterly updates will be provided to the OIPC outlining progress on the development and implementation of preventative measures outlined in the report.
When asked why it took a report from the privacy commissioner for the government to take action, Merriman said some of the initial reasons he was told was that they didn’t know the depth of the cyberattack at the time.
“This was a very, very sophisticated attack that eHealth had never seen before,” he said. “That’s why I’m asking my deputy minister on why there was a delay in the timeline to be able to get that information out to the public because I feel it was very important that the general public knew the depth and the breadth of the breach that happened at eHealth.”
Merriman has ordered Deputy Minister of Health Max Hendricks to address concerns raised in the report including an internal review into the ministry’s and health authority’s decision making processes which resulted in those delays. He added that he has “absolute faith” in Hendricks to be able to provide him with an unbiased report which he will review and assess upon its completion.
The government noted in their statement that eHealth, the ministry and the SHA provided mass notification regarding the extent of the data breach in alignment with the OIPC recommendation to do so on December 22, 2020. This included notification through media releases, newspaper notices, website notices and social media alerts.