Officials in Newfoundland and Labrador said Wednesday they have uncovered more data thefts stemming from a cyberattack last October against the province’s health-care networks, and the latest breach could involve “thousands” of people.
More than 200,000 files on a network drive were stolen by the perpetrators of the attack, David Diamond, head of the province’s largest health authority, told reporters in St. John’s. The latest breach, he said, was found on Feb. 25 and officials are still working to figure out how many people are involved and exactly what information was taken.
Personal health information including medical diagnoses, health-care numbers and procedures ordered for patients may be among the stolen data, he said. Employment information may also have been stolen, but there is no indication social insurance numbers were taken, Diamond added.
“As you can imagine, with 200,000 files there are literally millions of data points,” said Diamond, president of the Eastern Regional Health Authority. “There’s a lot of manual work involved before we can put a final number, but we expect the number could be large; it could be thousands of individuals between staff and patients.”
Officials have announced several privacy breaches and data thefts stemming from the attack last October, which some experts have said was the worst cyberattack in Canadian history. The attack took out much of the province’s health-care IT networks, forcing the cancellation of thousands of appointments and shutting down services like diagnostic imaging and cancer care. In some hospitals, nurses and doctors reverted to a paper-and-pencil system to keep track of patients.
Diamond has said the IT systems had to be rebuilt “from scratch.” He could not say Wednesday if that rebuilding was complete, but he noted health-care operations were now running “pretty much at 100 per cent.”
Health officials refuse to divulge what kind of attack hit the health-care system, though cybersecurity experts have said it has all the features of a ransomware attack, in which hackers demand payment in exchange for stolen data or a key to decrypt compromised networks.
Joining Diamond for Wednesday’s news conference, Health Minister John Haggie maintained that silence, refusing to say if a ransom had been demanded or paid, or whether the province knew who was behind the attack and what motivated them.
When asked if any weaknesses in the systems had been discovered that may have led to the attack, Haggie said officials had “identified things that we are rectifying.” He acknowledged his opaque response was unsatisfactory.
“We’ve been advised by our security advisers that giving away details of the incident beyond a certain point would be unwise and would possibly jeopardize our abilities in the future to deliver services,” he explained.
When asked when that information might be made available, Haggie pointed to several ongoing investigations into the cyberattack, including a probe led by the province’s privacy commissioner.
“Those will, in the fullness of time, each present a public report on their facet of this incident,” Haggie said. “In terms of operational security, there are considerations that would preclude publication of some information now and in the future.”
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.