NL

More health info stolen in N.L. cyberattack than government originally reported

The government has known for more than a month that there was more data stolen in an unprecedented 2021 cyberattack than they had made public.

Province has known for more than a month the theft was larger than publicly reported

The provincial government says the investigation into the cyberattack on Newfoundland and Labrador's health-care system indicates more information was stolen than previously reported. (Jonathan Hayward/Canadian Press)

The investigation into the cyberattack on Newfoundland and Labrador's health-care system in October has revealed more data was stolen than originally thought, says the provincial government.

According to Eastern Health CEO David Diamond, the provincial government learned Feb. 25 that thieves had taken more information than they had previously reported.

But that didn't become public until a media briefing Wednesday morning, when Diamond said more than 200,000 files were taken from an Eastern Health network drive that might contain patient and employee information dating as far back as 1996. Initial reports indicated the breach on Eastern Health employee data reached back as far as 2008.

"We're currently doing the work, undertaking a manual review to determine the exact number of files that contained personal health or personal information," he said. 

Health Minister John Haggie said work is underway to notify people whose information was stolen, and to provide them with credit monitoring and identity theft protection services at no cost.

"We obviously regret that this incident occurred," Haggie said.  "At this stage of the investigation we have a good understanding of the information involved in this incident."

WATCH: N.L. health minister refuses to provide cyberattack details

3 years ago
Duration 3:46
A compilation of John Haggie refusing to answer certain questions about the cyberattack against the province's health-care system — including who the attackers were, and whether the government paid a ransom — at a Wednesday news conference.

Still won't answer questions

But the government is still refusing to answer some questions about the attack — including who the attackers are, whether there was a ransom demand, whether a ransom was paid, and how the attackers were able to access the system.

When asked again Wednesday if the provincial government paid a ransom to regain access to its IT systems, Haggie said, "I won't be answering that question."

Sources have told CBC News the attack was ransomware: an attack in which hackers break into a network, trigger software to encrypt data on the network and demand payment in order to decrypt the data, holding the network and its owner hostage.

Haggie still would not provide details on who is responsible for the attack, citing security elements and portions of the investigation still underway by other organizations. He also wouldn't say how much the cyberattack and the investigation have cost the province so far.

"We have been advised by our security advisors, local, national and international, that giving away details of the incident beyond a certain point would be unwise and possibly jeopardize our abilities in the future to deliver services," Haggie said.

Watch the full March 30 briefing:

Wednesday marked the province's first update on the cyberattack since December, when Diamond told reporters the system had to be rebuilt from scratch after some services were forced to shut down for weeks.

The attack, which was discovered by officials on Oct. 30 and made public two weeks later, caused thousands of appointments, procedures and the province's COVID-19 testing program to be delayed. Haggie told reporters at the time the "brain of the data centre" that powers the province's health-care system had been damaged.

Diamond said Wednesday the stolen information may include medical diagnoses, procedure type and MCP numbers as well as human resources and administrative information.

"In terms of personal financial information and health information, we're not aware that any of that has been misused at this point," Diamond said.

"There's a lot of monitoring happening with the cyber experts that we have, folks who are searching the dark web and trying to ensure that if something were to be misused that we would know about that. We're not seeing that."

He said the deadline to enrol with Equifax's credit monitoring service has been extended to the end of the year and a web portal is being developed to make the registration process easier. The portal is expected to be rolled out within the next two weeks, he said, adding Eastern Health is continuing to implement further IT security measures.

Identifying victims

As more information is confirmed, letters will be sent by mail to affected individuals advising them of the details of the breach, said Diamond. Anyone who has questions can contact Eastern Health's Privacy Office, he said.

Diamond said the number of people affected could be in the thousands, but the number will become clearer as the investigation continues. 

PC Opposition leader David Brazil said Wednesday afternoon his party is disappointed the government isn't being more open and transparent about the attack. 

"We need to be reassured, and the people of this province need to be reassured that there's a mechanism in play that this doesn't happen again," he said.

Read more from CBC Newfoundland and Labrador