Health Minister appoints two new directors to eHealth board, promises independent review in response to privacy commissioner’s report

Report found that a minimum of 547,145 files had been stolen during a ransomware attack

(File photo/Jayda Taylor)

The Saskatchewan government has appointed two new board members and promised an independent review after the privacy commissioner released a report last week about a ransomware attack that affected eHealth files.

The province said several of the findings were “deeply troubling.” They also promised to take immediate action to address the recommendations.

That action began on Tuesday when Minister of Health Paul Merriman announced the appointment of two new board of directors for eHealth Saskatchewan.

“The Minister also provided instruction to the new Board of Directors to initiate an independent review of the governance, management and program operations at eHealth,” a statement from the government read.

The responsibilities of the new two-person board includes providing closer oversight of eHealth, which the government said will “better accommodate the independent review.”

Ministry of Health Assistant Deputy Minister Denise Macza will serve as the new chair and Ministry of Health Assistant Deputy Minister Billie-Jo Morrissette will serve as vice-chair.

Macza and Morrissette are replacing previous chair and vice-chair. The appointments take effect immediately.

“The appointments do not reflect a lack of confidence in the previous board chair and members,” the release stated.

Merriman thanked the outgoing board of directors for their work.

“I am confident that the new Board appointments as an interim measure will provide closer oversight of eHealth by the Ministry of Health during the governance review,” Merriman said in the release.  

The security breach occurred in late December 2019 and early January 2020 after a Saskatchewan Health Authority (SHA) employee plugged their personal device into their work computer and opened an infected word document through their personal email that led to a ransomware attack.

According to the report, the email appeared to be sent from an employee at a job search company that the SHA employee had previously communicated with. The job search company employee later advised the SHA employee that their email had been compromised.

The attack impacted shared infrastructure between eHealth, SHA, and the Ministry of Health. eHealth is a treasury board crown corporation that is responsible for the information technology in the province’s health system.

A tool developed by eHealth later identified 547,145 files were stolen that potentially contained personal information and/or personal health information. The files were encrypted so it’s unknown whose information was taken.

The breach is being referred to as one of the largest in the province since it’s unclear who was affected.