It is being called one of the biggest privacy breaches in the province’s history.
The province’s privacy commissioner has released a 51-page report on a ransomware attack at EHealth Saskatchewan outlining what happened and what needs to happen to ensure this doesn’t happen again.
Ron Kruzeniski says an SHA employee opened up a malicious fire in an e-mail from her personal device that was connected to a computer on the Saskatchewan Health Authority network. That file resulted in ransomware going through the network with the attackers making demands on January 5.
Kruzeniski’s report shows there were three opportunities where the ransomware could have been detected sooner but was not a full investigation was not performed. and that both the SHA and the Ministry of Health did not let people know in time because of an excessive delay by eHealth in letting them know what was happening. In the end, it was determined the personal information. personal health information or both of over 547,000 people in Saskatchewan were exposed.
Recommendations in the report include a comprehensive review of security protocols by eHealth and whether it should have IT security staff in place 24-7 to monitor and investigate threats, that the SHA and the Ministry take immediate steps to provide mass notification and that all the SHA, eHealth and the Ministry work together and provide identity theft protection, including credit monitoring, to those affected for a minimum five years from the date an affected person’s information is either discovered or by anyone who requests it.
In the report, Kruzeniski states eHealth has been tasked with collecting, storing and protecting the most sensitive health data in our province and that it is absolutely reasonable that each citizen demand the very highest level of security on our health information. He says to accept less is irresponsible.”
Kruzeniski’s report concludes with him saying “Although this investigation has troubled me, I trust that eHealth, the SHA and Health will take the necessary steps as outlined in this report to ensure they are protecting the personal information and personal health information of the citizens of this province and strive to have the best protected systems with the best cybersecurity trained employees.
