The Saskatchewan Information and Privacy Commissioner Ron Kruzeniski is calling the data breach of eHealth in December of 2019 one of the largest privacy breaches the province has been involved in.
The ransomware attack affected servers contained approximately 50 million files across eHealth, the Saskatchewan Health Authority and the Ministry of Health.
The report contained 25 recommendations for eHealth, the Ministry of and the Saskatchewan Health Authority including the following:
- that eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected;
- that the SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts;
- that eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests this protection;
- that eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats;
- that all eHealth and eHealth partners be required to complete cyber security and privacy refresher training on an annual basis; and
- that the Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by SaskTel, the Provincial Auditor and this Report.
The report said the attack happened on Dec. 20, 2019, when an SHA employee opened an infected Microsoft Word document from their personal email from a personal device that was charging through a USB cord on their SHA workstation.
On Jan. 21, 2020, eHealth discovered files were disclosed to IP addresses in Germany and the Netherland and about 40 gigabytes of encrypted data was extracted.
The Saskatchewan Ministry of Health responded to the privacy commissioner’s report, saying the findings are very troubling.
“The report issued today by Mr. Kruzeniski contains several troubling findings and recommendations regarding the data breach and subsequent events, and details a number of shortcomings on behalf of eHealth, the Saskatchewan Health Authority, and the Ministry of Health,” Health Minister Paul Merriman said in a press release.
“Our government takes these findings and recommendations seriously and will commence work to address them immediately.”
The government says a response will be given to the privacy commissioner for each recommendation in the next 30 days.