Privacy Commissioner Report on eHealth Saskatchewan Cyberattack By Esther Shainblum and Luis R. Chacin On January 5, 2021, the Office of the Saskatchewan Information and Privacy Commissioner (the “Commissioner”) released its Investigation Report on the ransomware attack affecting eHealth Saskatchewan (“eHealth”), the Saskatchewan Health Authority (“SHA”) and the Ministry of Health (“Health”) in late 2019 and early 2020. The ransomware attack occurred when, on December 20, 2019, an SHA employee opened a corrupt Microsoft Word document from their personal email account on their personal device which was at the time charging via USB connection on their SHA workstation. The corrupt Microsoft Word document triggered the execution of a “Ryuk” ransomware on the workstation and subsequently infiltrated and encrypted a number of files on the shared network infrastructure of eHealth, the SHA and Health on January 5, 2020. Although the Commissioner was not able to conclude exactly how many files were potentially affected, it was determined that approximately 50 million files were exposed to the ransomware, of which a minimum of 547,145 potentially contained personal information and/or personal health information. The investigation found that the employee had received privacy training but had not received training on the SHA’s Acceptable Use of Information Technology (IT) Assets policy. In its report, the Commissioner found, among other things, that there was a privacy breach affecting personal information and personal health information of individuals, as defined in Saskatchewan’s The Freedom of Information and Protection of Privacy Act and The Health Information Protection Act, respectively, and that eHealth failed to fully investigate two early threat occurrences which may have prevented the subsequent attack and extraction of data. The Commissioner also found that SHA had not provided the employee who caused the breach with training on its Acceptable Use of IT Assets policy, that eHealth, the SHA and Health failed to contain the breach and that eHealth, SHA and Health failed in their breach notification obligations. Further, the Commissioner found that the SHA and Health failed their duty to protect personal information and personal health information without having all the necessary checks and balances in place to ensure that eHealth was not handling their IT service delivery in a deficient manner. The Commissioner made a number of recommendations in its report, including that:
The Commissioner’s report is particularly relevant in the context of the National Cyber Threat Assessment 2020 (the “Assessment”) recently released by the Canadian Centre for Cyber Security which warns that “as more information is shared and stored online, the threat to individual privacy increases.” In this regard, the Assessment further states that “cybercrime remains the most common threat faced by Canadian organizations of all sizes” and that “cyber threat actors have expanded the use of [Business Email Compromise] beyond traditional business victims to target religious, educational, and not-for-profit organizations.” Although the ransomware attack on eHealth and SHA involved a personal email account on a personal device which was connected to a network computer via USB, as opposed to a business email account, the Commissioner’s report is an important reminder for charities and not-for-profits of the importance of having appropriate policies and implementing appropriate training and protocols to ensure employees know what to do in order to protect the personal information under the control of the organization. |