Cyber threat analyst questions eHealth's response to ransomware attack
eHealth conducting forensic analysis after system hit in ransomware attack
A cybersecurity threat analyst said eHealth Saskatchewan was too quick to promise that personal data was secure — and not quick enough to disclose the discovery that it might have been compromised in a ransomware attack.
In early January, CEO Jim Hornell said confidential medical information was secure following a cyber infiltration at eHealth.
"They made that claim far too quickly. Absence of evidence isn't evidence of absence," said Brett Callow, a B.C.-based threat analyst for international cyber security firm Emsisoft. "It's really akin to glancing around your burglarized home and saying nothing was taken."
Hornell backtracked one month later on Feb. 7, 2020, revealing that some data had been sent to suspicious IP addresses in Europe. The public was notified of this one week after he found out.
eHealth does not know what the files consist of, although Hornell said they do know that server known to have communicated with the IP addresses contained administrative files.
Callow said he'd like to see stronger regulations that would require immediate disclosure to the public, even if the organization can't confirm what was taken.
"Would you rather be told by the organization now that your data may have been compromised or would you rather find out in three weeks when your bank account has been emptied?"
Callow said people have a right to be alarmed by a cyber breach. The privacy implications of attacks like this are concerning because they can lead to personal information posted on the Internet or extortion, he said.
Data theft taken through malware that is used to extort payment is a new phenomenon that picked up last year, he said, but extortion doesn't always happen immediately after the attack is detected.
Malware can allow attackers to gather information and credentials weeks or months before the actual ransomware is deployed and detected, he said. He said most attacks happen either through email or an improperly secured remote access solution — a system that hasn't been "patched" properly.
He said what targeted eHealth had likely been in the system for a period of time, in order to encrypt the data before slipping it past a data loss prevention detection system.
In January, Hornell told CBC that antivirus software had begun to issue alerts on Jan. 5 and then on Jan. 6 employees were asked for bitcoin in exchange for encrypted files.
However, Hornell told CBC News in February the virus had actually entered the system in December — not January, as he first indicated. CBC asked for an interview with Hornell to clarify when the CEO learned about the infiltration date, but a spokesperson declined.