$200K public relations aid for N.L. cyberattack didn't result in transparency, says expert
Government should have been advised to be more transparent, says Mark Sangster
Newfoundland and Labrador recruited $200,000 worth of public relations advice to deal with a cyberattack against its health-care networks last fall, and a cybersecurity expert says the contract should have resulted in more transparency.
The contract between National Public Relations and the Newfoundland and Labrador Centre for Health Information was obtained through an access-to-information request.
It indicates the company, which specializes in crisis communications, offered the province "strategic counsel on internal and external communications regarding cyber incidents," as well as media monitoring and other communications help.
The document was signed Oct. 30, 2021 — the day government officials have said they first discovered the attack — and it covers the government's "response phase" to the incident. It is among the few indications of what the cyberattack may have cost the province and about who was hired or consulted to help officials
handle the government's response.
Cybersecurity strategist Mark Sangster says he recommends any public-facing company or organization get some help with public relations if they're hit with a cyberattack — but he says they should be advised to be open with the public.
"That's the interesting conundrum here: the fact that this has been going on for a couple of months, at least, and there's been this sort of partial public communications about what's gone up, but we're not really hearing about the heart of it," Sangster said in an interview Thursday.
The Newfoundland and Labrador government has been tight-lipped about the cyberattack, refusing to say what type of attack occurred and what its motive was, or whether a ransom was demanded.
However, several experts have said the incident has all the markings of a ransomware attack, in which hackers encrypt or steal data to hold it hostage until a ransom is paid.
The hackers managed to wipe out much of the province's health-care IT network, forcing officials to cancel thousands of appointments, including cancer care. Doctors and nurses in some health-care facilities had to resort to paper records until systems came back online.
Officials have announced several data breaches resulting from the attack. On March 30, they revealed the perpetrators stole more than 200,000 files from a network drive, potentially involving the personal data of "thousands" of people.
Lack of details risks eroding trust: Sangster
Health Minister John Haggie has refused to say how much the attack cost the province, though he said on April 7 the free credit monitoring offered through Equifax to people affected by the incident cost the government about $5 million.
The contract shows a purchase order issued from the Newfoundland and Labrador Centre for Health Information —which maintains the province's key health information databases — to the public relations firm on Dec. 9 for $200,004.50.
Charges include $106,000 of consultation fees with "senior counsel" and $30,250 for consulting fees with a managing partner.
The contract's scope of work suggests National representatives sat in on emergency operations meetings and worked with "senior levels of government" to plan and respond to the attack. National did not respond to questions emailed Thursday morning.
By keeping quiet about details, the Newfoundland and Labrador government risks eroding public trust, especially among those whose data was stolen, Sangster said.
At some point, I think you owe it to the public and those people directly affected to explain what's happened.- Mark Sangster
"I think there is a trust issue and responsibility because you are a tax-paid organization," said Sangster, who wrote the 2020 book No Safe Harbor: The Inside Truth About Cybercrime — and How To Protect Your Business.
"At some point, I think you owe it to the public and those people directly affected to explain what's happened."
Other organizations could also learn from Newfoundland and Labrador's experience, he said, adding, "It's not about blame. This is about improvement."
In a statement emailed Thursday, the Department of Health and Community Services said government cannot provide details about the attack.
"What we can confirm is that we experienced a cyberattack where an unauthorized third party accessed our systems, took some employee personal information and patient personal health information, and encrypted some systems in our health-care IT system," wrote spokeswoman Nancy Hollett.
"We have a good understanding of the nature and extent of the incident and have taken the necessary steps to strengthen the security of our systems."
Hollett said investigations into what happened are ongoing, adding that they involve police, the province's privacy commissioner and the Canadian Centre for Cyber Security.