Privacy Commissioner Report on eHealth Saskatchewan Cyberattack - Carters Professional Corporation - Barristers, Solicitors and Trade-Mark Agents

Privacy Commissioner Report on eHealth Saskatchewan Cyberattack
January 2021 Charity & NFP Law Update
Published on January 28, 2021

By Esther Shainblum and Luis R. Chacin

On January 5, 2021, the Office of the Saskatchewan Information and Privacy Commissioner (the “Commissioner”) released its Investigation Report on the ransomware attack affecting eHealth Saskatchewan (“eHealth”), the Saskatchewan Health Authority (“SHA”) and the Ministry of Health (“Health”) in late 2019 and early 2020.

The ransomware attack occurred when, on December 20, 2019, an SHA employee opened a corrupt Microsoft Word document from their personal email account on their personal device which was at the time charging via USB connection on their SHA workstation. The corrupt Microsoft Word document triggered the execution of a “Ryuk” ransomware on the workstation and subsequently infiltrated and encrypted a number of files on the shared network infrastructure of eHealth, the SHA and Health on January 5, 2020.

Although the Commissioner was not able to conclude exactly how many files were potentially affected, it was determined that approximately 50 million files were exposed to the ransomware, of which a minimum of 547,145 potentially contained personal information and/or personal health information. The investigation found that the employee had received privacy training but had not received training on the SHA’s Acceptable Use of Information Technology (IT) Assets policy.

In its report, the Commissioner found, among other things, that there was a privacy breach affecting personal information and personal health information of individuals, as defined in Saskatchewan’s The Freedom of Information and Protection of Privacy Act and The Health Information Protection Act, respectively, and that eHealth failed to fully investigate two early threat occurrences which may have prevented the subsequent attack and extraction of data. The Commissioner also found that SHA had not provided the employee who caused the breach with training on its Acceptable Use of IT Assets policy, that eHealth, the SHA and Health failed to contain the breach and that eHealth, SHA and Health failed in their breach notification obligations. Further, the Commissioner found that the SHA and Health failed their duty to protect personal information and personal health information without having all the necessary checks and balances in place to ensure that eHealth was not handling their IT service delivery in a deficient manner.

The Commissioner made a number of recommendations in its report, including that:

eHealth utilize key network security logs and scans to effectively monitor the eHealth IT network and detect malicious activity.
eHealth undertake a comprehensive review of its security protocols to include an in-depth investigation when early signs of suspicious activity are detected.
eHealth continue dark web monitoring for a minimum of five years from the date of this Report.
The SHA and Health take immediate steps to provide mass notification including media releases, newspaper notices, website notices and social media alerts.
eHealth, the SHA and Health work together and provide identity theft protection, including credit monitoring, to affected individuals for a minimum of five years from the date an affected individual’s information is discovered on the dark web or to any concerned citizen who requests it.
eHealth review and reconsider the 70% cyber security training pass mark for its employees and its partners’ employees and increase the pass mark to a minimum of 90%.
eHealth review whether it should have IT security staff in place 24 hours a day, seven days a week to actively monitor and investigate potential threats.
The Minister of Health immediately commence an independent governance, management and program review of eHealth based upon the concerns put forward by Saskatchewan Telecommunications, the Provincial Auditor and this Report.

The Commissioner’s report is particularly relevant in the context of the National Cyber Threat Assessment 2020 (the “Assessment”) recently released by the Canadian Centre for Cyber Security which warns that “as more information is shared and stored online, the threat to individual privacy increases.” In this regard, the Assessment further states that “cybercrime remains the most common threat faced by Canadian organizations of all sizes” and that “cyber threat actors have expanded the use of [Business Email Compromise] beyond traditional business victims to target religious, educational, and not-for-profit organizations.”

Although the ransomware attack on eHealth and SHA involved a personal email account on a personal device which was connected to a network computer via USB, as opposed to a business email account, the Commissioner’s report is an important reminder for charities and not-for-profits of the importance of having appropriate policies and implementing appropriate training and protocols to ensure employees know what to do in order to protect the personal information under the control of the organization.

Read the January 2021 Charity & NFP Law Update