NL

Haggie said a cyberthreat report raised 'no red flags.' Now it appears he didn't actually read it

The then health minister now says he was presented with a summary, partly verbal, of that 2020 threat assessment about cyberpreparedness.

Former health minister says comments stemmed from summary presented to him

A man wearing glasses and a suit is speaking, facing the camera.
In May, then health minister John Haggie told reporters he had received a threat assessment of health-care cybersecurity a couple of years earlier that 'highlighted no red flags.' (Mark Quinn/CBC)

Former provincial health minister John Haggie does not appear to have read a 2020 threat assessment that he publicly said last year "highlighted no red flags" about the state of health-care cybersecurity in Newfoundland and Labrador.

Recent court filings by the government have revealed previously redacted details of that report, which warned of "significant IT vulnerabilities."

Newfoundland and Labrador's health-care system suffered a devastating cyberattack by a ransomware group in the fall of 2021.

This week, CBC News asked Haggie, now the minister of education, how he would now characterize those warnings about "significant" vulnerabilities, in the context of his past "no red flags" comment.

"The issue of 'no red flags' was words that were supplied to me by NLCHI [the Newfoundland and Labrador Centre for Health Information] at the time," Haggie replied.

"They had that report. My recollection of it is that we took that with Health and Community Services at the time, and have gone to Treasury Board over the course of the period subsequently to look for increased investment. My memory is a little hazy now as to exactly what that was, but I do recall making some comments about increased investment in IT and security." 

Did he read the document? 

"I was presented with a summary at the time and that's where the 'no red flags' came from," Haggie replied. "Part of that was verbal."

So he made those comments about "no red flags" and no issues of concern based on what somebody had summarized for him, not from his primary source reading of this document?

"It was from a summary from NLCHI provided to me," he said.

Haggie noted that, in the health portfolio, "you get a lot of summary documents, and you trust the information that you're given."

Signs are pictured on a building.
The headquarters of the Newfoundland and Labrador Centre for Health Information are located in St. John's. (Rob Antle/CBC)

Haggie referenced the 2020 cybersecurity threat assessment when speaking with reporters in May to rebut a CBC Investigates story.

Israeli cyberexperts who reviewed information security arrangements at Eastern Health confirmed "numerous vulnerabilities, security concerns and compliance issues" that needed to be addressed within its network.

The details were in a business plan prepared for the regional health authority in September 2020 and obtained by CBC/Radio-Canada.

Haggie — then health minister — minimized the significance of that report's findings, describing it as "a business development proposal."

At the time, Haggie told reporters he independently asked NLCHI for a threat assessment of cyber systems in September 2020 — around the same time the Eastern Health report was completed.

"I received a threat assessment which highlighted no red flags," Haggie said.

CBC News subsequently requested that threat assessment through provincial access-to-information laws.

It was titled "Ransomware: Threat and Mitigation Plans." Portions were blacked out in the response provided to the CBC.

But last week, the government wiped off some of that black ink in documents it filed at court to stop the privacy commissioner from having any continued role in investigating the 2021 cyberattack.

Among the sections of the 2020 threat assessment revealed by the government in court:

  • "Significant IT vulnerabilities exist, with new vulnerabilities identified daily such as outdated OS, unpatched systems, software flaws."
  • "NLCHI, under the existing mandate, will require significant effort to elevate all eHealth IT environments to an acceptable level of security."

CBC News asked Haggie this week whether he believes his "no red flags" comment is still accurate, given what is now known about those details of that assessment.

"I think the investigation from the privacy commissioner and the reports that [the Department of Justice] and [Justice] Minister Hogan will get will help clarify that," he replied.

WATCH | John Haggie questioned about past comments on cyber threat assessment:

John Haggie answers cyber 'red flag' questions

2 years ago
Duration 2:12
At the Newfoundland and Labrador legislature this week, reporters asked the former health minister about comments he made last year referencing a ransomware threat assessment

The privacy commissioner has since stepped back from his office's ongoing cyberattack probe, saying he wanted to avoid a lengthy and expensive court proceeding and avoid any further delays in releasing the report.

The commissioner has delegated his authority to conduct and conclude the investigation to other officials in his office.

At this point, there is no date set for the release of the report.

Read more from CBC Newfoundland and Labrador

ABOUT THE AUTHOR

Rob Antle

CBC News

Rob Antle is a producer with the CBC's Atlantic Investigative Unit, based in St. John's.

Add some “good” to your morning and evening.

Subscribe to our daily newsletter for the top stories in Newfoundland and Labrador.

...

The next issue of CBC Newfoundland and Labrador newsletter will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.