Despite warnings, N.L. health officials didn't bolster cyberdefences before ransomware attack
Report by privacy commissioner’s office finds security was ‘lacking’ in important areas
Newfoundland and Labrador health officials did not act on a series of warnings and failed to adequately protect sensitive health information of hundreds of thousands of people before a ransomware gang launched a devastating cyberattack in 2021 that surreptitiously scooped up 200 gigabytes of data and paralyzed the province's health-care system.
That's among the findings of a 115-page report on the attack issued Wednesday morning by the Office of the Information and Privacy Commissioner.
"The biggest question at the outset of this investigation for us was whether this cyberattack succeeded despite these [provincial health] entities having cybersecurity practices that met recognized international standards, or if it succeeded because those standards were not being met at the time," the provincial watchdog noted in the report.
"Unfortunately, we found the latter."
Security in the health information system "was lacking in a number of important areas" and internationally recognized, industry-standard cybersecurity measures were "either not in place or not fully implemented."
The report found that deficit left the personal health information and personal information of citizens of the province vulnerable to cyberattack — "which, under the circumstances, was almost an inevitability."
Investigators concluded that these vulnerabilities were known within the health-care system but officials failed to fix them.
"The Department of Health and Community Services was informed in 2020 — over a year prior to the cyberattack — that a threat assessment rated the chances of a cyberattack as high, and the impact of such an event as high," said Sean Murray, a senior official in the commissioner's office who led the probe.
"In other words, the ransomware attack against our public health information systems was a foreseeable event. Efforts to reduce these vulnerabilities prior to the cyberattack were inadequate."
As well, investigators believe more people were affected by the breach than previously disclosed by government and health officials.
"The total number of privacy breaches caused by the cyberattack is unknown but is likely to be in the hundreds of thousands," the report advised.
"In other words, it is likely that the vast majority of the population of the province had some amount of personal information or personal health information taken by the cyberattackers, although the specific number may never be known."
The report noted that:
- Patients of Central Health from 2006 to 2021 had their personal health information accessed and taken in the cyber attack;
- Patients of Labrador-Grenfell Health from 2013 to 2021 had their personal health information accessed and taken in the cyber attack;
- Patients of Eastern Health from 2010 to 2021 had their personal health information accessed and taken in the cyber attack.
Additionally, it advised that all patients across the province who had COVID-19 testing up to 2021 had their personal health information accessed and taken by hackers.
In general terms, the report called data taken in the cyberattack "highly sensitive information that deserved the highest degree of protection."
However, the report found that "an impressive amount of work" has happened since the attack, to ensure that appropriate cybersecurity measures are in place across the health information system.
"There is some good news," Murray said. "The havoc caused by the cyberattack is not the end of the story."
He said "substantial effort" has since been expended, work that has "significantly enhanced" cybersecurity for the province's health information systems.
Murray called cybersecurity "an ongoing arm's race with organized crime as well as state-sanctioned actors, who will not only seek to extort us and breach our privacy, but also cause us to incur significant costs to the public purse and harm actual health-care delivery."
The report stresses that this is not a one-time fix, noting how essential it is that "sufficient focus and resources continue to be directed to this task."
The report notes that accountability for what happened is shared by the Newfoundland and Labrador Centre for Health Information, as well as provincial health authorities.
But it adds that leadership of the entire health-care system falls to the Department of Health and Community Services, and the minister must ensure there are appropriate resources for the province's cybersecurity to meet internationally recognized industry-accepted standards.
The commissioner's office made 34 findings, and six recommendations to improve the system going forward.
Those recommendations include periodic external reviews, assessments, or audits to assess the status of cybersecurity across the provincial health information system, and the creation of a chief privacy officer position within the new provincial health authority.
Political reaction to watchdog's report
At the House of Assembly Wednesday afternoon, interim Opposition leader David Brazil asked about the conclusions in the just-released report that more people were affected by privacy breaches than previously disclosed.
"This is the first time that the public have been informed of the true magnitude of this attack," Brazil said.
"I ask the premier, why did your government hide the sheer scale of this attack on the health-care system?"
Premier Andrew Furey brushed aside the question.
"We were very open in our communications — in fact we said immediately, upon recognition, that there was a problem," Furey responded.
"We said we didn't know the scope of the problem but we that said it was a potential, that many Newfoundlanders and Labradorians could have been involved in this."
Meanwhile, NDP Leader Jim Dinn said the province seems to react, rather than be proactive, when advised of problems that need to be fixed — as happened in this case, before the cyberattack actually occurred.
"When you identify deficiencies, the whole purpose of it is to try, to the best of your ability, to at least point out where you need to make changes to ensure the protection of the information," Dinn told reporters.
"No guarantee that putting locks on your house is going to prevent a break in, but I would argue that you put all the measures in place to make sure that you have that security."
Justice Minister John Hogan said it's too early to discuss whether there will be any accountability for that lack of action to fix security gaps before the attack.
"The report is very fresh, very new," he said. "I'm not sure where the health authority is going to go with that, but I'm sure they'll look at it, along with the recommendations in the findings."