Privacy Commissioner finds province did not share information quickly enough during 2021 cyber attack

Posted: May 24, 2023 11:45 am | Last Updated: May 24th, 2023 8:10 pm
By Bailey Howard

The Office of the Information and Privacy Commissioner has released its report on the 2021 cyber attack including 34 findings and six recommendations over 115 pages. 

The report was completed by Sean Murray, the Commissioner’s Delegate at the Office of the Information and Privacy Commissioner.  

The report says, to put the impact of the cyber attack into context, it is likely that the majority of the province had some amount of personal information or personal health information taken by the attackers though no specific number can be given. 

The attack likely began with a phishing email. 

A big finding in the report was that the length of time before the public was informed of the attack was too long. This includes government not communicating that information was taken or stolen in a reasonable amount of time. 

Sean Murray, Commissioner’s Delegate

OIPC says the poor communication continued when they sought answers to their questions when compiling information for the report. Similar to how the province wouldn’t say publicly if a ransom was paid, they would not answer that question for the OIPC. The report states areas where they did not receive a response or where a recommendation couldn’t be made as a result. The office says they gave the parties appropriate time before seeking these answers for the report as the province was reviewing the impacts, conducting forensic analyses and had to get the health system back up and running. 

The reason for 34 findings versus the six recommendations in the report is due to the work done since the attack. The office was pleased with the progress made by the Centre for Health Information and the health authorities in increasing security measures and reviewing data, showing many of their findings have been addressed since the release of the report. 

But how prepared was the province? The report states the Department received the Centre for Information Note in September 2020 which not only rated the threat of a ransomware cyber attack as being high, but also specifically listed a variety of concerns directly related to ransomware and proposed mitigations. 

The OIPC report recommends some measures for the province to take now and in the future on cyber security as well the importance of following through on the timeline for Project Breakwater and for the project to be appropriately resourced. The report also recommends having reviews of security measures done regularly as methods evolve. 

The report also recommends the creation of a Chief Privacy Officer within the Provincial Health Authority who report directly to the executive level. 

Here is a full list of the recommendations: 

  1. I recommend the Provincial Health Authority provide an update within its communications (such as each Region’s website landing pages for the 2021 cyber attack) confirming this was a ransomware cyber attack and providing a link to Government’s Report which outlines more details about the attack and prevention steps being taken.
  2. I recommend that the Provincial Health Authority update notification policies to reflect that where there is a breach of personal information or personal health information (where notification is required under an Act), that in the case of a ransomware cyber attack, notification should include information about those circumstances at the earliest reasonable opportunity, and furthermore that the factors considered in making such decisions about notification must be documented.
  3. I recommend that the Provincial Health Authority continue to take diligent steps to ensure that information management policies and procedures addressing retention and destruction of personal information and personal health information are developed and implemented to minimize the breadth and impact of any future privacy breach.
  4. I recommend that the projects outlined in Breakwater be appropriately resourced and implemented within the time frame outlined in the plan, informed and adjusted as required by the Gartner Assessment and any other subsequent assessments or analyses, with the goal of ensuring that cyber security across the provincial health information system meets internationally accepted cyber security standards.
  5. I recommend that the Provincial Health Authority undertake periodic external reviews, assessments, or audits at reasonable intervals going forward, to assess the status of cyber security across the provincial health information system and to determine whether the cyber security standards found to be in place are appropriate for the size of organization and the nature and sensitivity of the information to be protected, in accordance with internationally accepted cyber security standards, and furthermore to communicate the results of such assessments to the Minister.
  6. I recommend the creation of a Chief Privacy Officer position, within the Provincial Health Authority, at or reporting directly to the executive level, whose role it is to ensure that privacy best practices are embedded within all of the Authority’s activities, and to help ensure the Authority’s compliance with privacy laws. The person to fill that role should have qualifications and experience in privacy, with an appropriately resourced staff to carry out that mandate, from the largest hospital to the smallest clinic to virtual care, encompassing all parts of the Authority’s activities, including primary care, secondary uses of information for research and evaluation, and employee personal information.

The public can go to the Health Authority’s website to sign up for credit monitoring through Equifax. 

NTV’s Bailey Howard will be following this story and have more on NTV News First Edition and the NTV Evening Newshour. 

Scroll to top