A minimum of 547,145 files containing personal information and/or personal health information were exposed in a ransomware attack of eHealth Saskatchewan, a report by the privacy commissioner has found.
It’s unknown whose personal information may have been stolen. Ron Kruzeniski, Saskatchewan’s information and privacy commissioner, said this breach could be comparable to the LifeLabs security breach in 2020 that affected around 93,000 people. He said the reason this breach is being defined as large is because it’s unclear who was affected.
“It may have affected you or me or any other citizen in the province and because the data was encrypted when it was stolen (and) the technical experts have not been able to determine who exactly was impacted,” Kruzeniski said.
The security breach happened in late December 2019 and early January 2020. On Dec. 22, 2019 a Saskatchewan Health Authority (SHA) employee had their personal device plugged into a USB port in their workstation to charge the device. They opened a Microsoft Word document from their personal email address on their personal device which then triggered a ransomware attack on the SHA workstation.
The “multi-phase exploit” occurred between Dec. 20, 2019 and Jan. 5, 2020. On Jan. 5 the attackers made a ransomware demand, which eHealth did not pay.
“Even if eHealth had paid the ransom, there would be no way to know whether or not the malicious actors kept a copy of the data that was stolen,” Kruzeniski’s 51-page report stated.
eHealth reported the cyberattack on Jan. 10, 2020 and confirmed publicly it was a victim to a ransomware attack. Nearly a week later, the Office of the Saskatchewan Information and Privacy Commissioner (OIPC) announced they would be investigating whether there was a breach of personal information or personal health information, and what measures eHealth could have taken to prevent it.
The investigation lasted several months. On Sept. 15, 2020, the Ministry of Health contacted Kruzeniski’s office and informed him that eHealth had advised the ministry that it was also a victim of ransomware attack. A letter was forwarded from the ministry to Kruzeniski advising that the ministry’s network may have been compromised.
Kruzeniski’s report explained that the breach infiltrated eHealth, SHA, and Ministry of Health computer networks.
The final report was released on Friday. It included a detailed overview of the situation, and made several recommendations for eHealth on how they can prevent future security attacks. The full report can be viewed at this link https://oipc.sk.ca/assets/foip-hipa-investigation-009-2020-053-2020-224-2020.pdf.
Kruzeniski said his office doesn’t know what happened with the information because of how the break-in occurred.
The Jan. 5 attack is being referred to as a Ryuk ransomware attack which the Center for Internet Security defines as “a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid.” Jan. 5 is when eHealth first learned about the attack, over two weeks after the ransomware had infiltrated the network, according to the report.
The cyber attack impacted fileshares across eHealth, the SHA and the ministry of health because the three share infrastructure. A forensic investigation conducted by eHealth identified that about 50 million files were exposed to Ryuk. Although, a tool created by eHealth identified 547,145 files “that potentially contain personal information and/or personal health information that may have been infected by the malware.
“I am not able to conclude exactly how many (files) were potentially infected by the malware and potentially stolen,” Kruzeniski wrote in his report.
His office was also informed that malicious IP addresses in Germany and the Netherlands were involved. Approximately 40 gigabytes of “encrypted data was extracted.”
“We don’t know what happened to that information,” Kruzeniski told the Herald.
He added that it doesn’t appear the information has shown up on the dark web yet, and his office has recommended that eHealth keep an eye out to see if any of the information pops up there.
The major problem, Kruzeniski explained, is that people can combine personal information and personal health information with stolen data for from other places and use it to apply for things like passports, VISA cards and drivers licenses. He said someone also might be able to put together enough information to steal funds from a bank account.
The report recommendations urge eHealth to undergo a security review that results in them and their partners having the “best security system in the province.”
The office is also recommending “rigorous training” for staff. This includes re-training staff on an “annual or even more frequent basis.”
“Attacks are going to be with us and as one gap or one hole is blocked, the criminals will find another hole,” Kruzeniski said. “It requires all of us to be knowledgeable and then therefore very vigilant regarding what we do on our computers and our devices.”
Kruzeniski hopes this situation and report brings awareness for people to be more cautious with all of their devices.
“If your personal device is plugged into your work computer right now, I encourage you to unplug it,” he said.
Government response
The provincial government responded to the report on Friday afternoon, calling several of Kruzeniski’s findings “deeply troubling” and promising immediate action to address the recommendations.
Minister of Health Paul Merriman said the government takes the findings and recommendations of Kruzeniski’s report seriously.
“Saskatchewan people expect their personal health information to be secure and protected. This expectation was failed when eHealth’s systems were breached last December,” Merriman said in the statement.
On Dec. 22, the three involved parties, including the ministry of health, followed the OIPC’s recommendation of providing mass notification through social media, website notices and more about the extent of the data breach, according to the statement.
In total, there were 25 recommendations for eHealth, SHA, and the ministry. A response to each recommendation will be sent to the OIPC within 30-days.
Merriman thanked Kruzeniski for his report and “continued work in protecting the personal information of Saskatchewan citizens.”
