Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Hackers Disrupt Canadian Healthcare and Steal Medical DataNewfoundland and Labrador Says Systems Outages Continue, Personal Details Exposed
An online attack has led to healthcare system outages in Canada's most easterly province, disrupting patient care and resulting in the theft of many residents' personal details, including medical information.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Health officials in the province of Newfoundland and Labrador on Oct. 30 disclosed that health systems had been disrupted by a "cyber incident." While officials did not use the word ransomware, security experts say the attack has the hallmarks of a crypto-locking malware outbreak.
A probe into the attack remains ongoing. "This is an evolving situation," said Newfoundland and Labrador Premier Andrew Furey at a Tuesday press conference.
Furey said investigators have found that more than a decade's worth of personal information for some residents - including health information - was exposed, as was personal information for healthcare system employees.
"For patients, the information is comprised of basic information that is typically logged or used for a patient visit, such as name, address, health care number (MCP), who you are visiting, reason for visit, your doctor, phone number, birth date, email address for notifications, in-patient/out-patient, mother's maiden name and marital status," the provincial government says in a security update.
"For current and former employees, the information includes name, address, contact information and Social Insurance number."
Officials say they do not believe that banking details for employees were exposed.
The government has published no tally of the number of affected individuals, but the province has a population of about 520,000.
The Royal Canadian Mounted Police is leading a criminal investigation into the incident, backed by the Canadian Center for Cybersecurity, which is the public-facing arm of the country's Communications Security Establishment and the national incidence response lead. The CSE is a sister signals intelligence agency to the U.S. National Security Agency and Britain's GCHQ.
Province officials say they have also notified the Newfoundland and Labrador Office of the Information and Privacy Commissioner about the breach.
"We deeply regret that this incident occurred and are taking steps to protect the privacy of our employees, patients and other members of our community," officials say.
While the provincial government says it plans to offer credit or identity theft monitoring to victims, it has not yet done so. Instead, officials have thus far put the onus on victims: "If you notice any unusual activity in any accounts or your account statements, please contact the appropriate service provider, such as your bank, as soon as possible," they say.
Disruptions to Surgery, Chemotherapy
The attack has resulted in ongoing disruptions to care in addition to exposed data. The province is comprised of four regional health authorities, although data was not stolen from all of them: Western Health - no data believed to have been stolen, Central Health - data exposure unclear, Eastern Health - 14 years of data exposed, and Labrador-Grenfell - 9 years of data exposed.
Officials say they're attempting to restore systems from backups, and that the process remains underway and is not yet complete.
On Thursday, for example, public broadcaster CBC reported that while the Health Sciences Center hospital in the city of St. John's had restored its Meditech system, which handles patient health information and financial details, it only included information from before the attack.
Each health authority has been publishing its own updates on the ongoing disruptions it continues to face.
We are providing an update about the IT systems outage which continues to impact a number of health-related services. We recognize the impact on residents in the region and apologize for the inconvenience. Read update here: https://t.co/CyhjZNgd5S— Western Health NL (@WesternHealthNL) November 8, 2021
Through at least Wednesday, for example, Western Health noted that only some appointments would be proceeding, including chemotherapy appointments "at a reduced capacity."
In addition, "only urgent and emergency appointments will proceed for surgery, endoscopy, blood collection, medical imaging, outpatient EKG, and fracture clinics," it said. "Western Health will endeavor to contact all individuals whose appointments are proceeding. All other appointments will be rescheduled."
National Security Threat
Security experts have said the apparent ransomware attack has again highlighted the impact such crime can have on national security, including public health.
"Ransomware is a significant threat, not just to individuals or to businesses, but also to national security, and our economies and our societies," cybersecurity consultant Brian Honan, who heads Dublin-based BH Consulting, told The Canadian Press.
In May, for example, the Conti ransomware operation hit Ireland's National Health Service, disrupting healthcare for months, despite the Irish government mobilizing its armed forces to help hospitals wipe and restore systems.
Groups such as Conti sometimes promise to never hit certain types of targets, such as hospitals, and if they do to provide a "free decryptor." But experts say that like all criminals, ransomware-wielding attackers regularly lie. Furthermore, fixing systems that get crypto-locked by malware, ideally by wiping and restoring them, can be an expensive and lengthy process.
Given that threat, some governments have been moving more aggressively to counter it.
U.S. President Joe Biden's administration, for example, recently began treating ransomware on par with terrorism, in terms of the resources being devoted to tracking and disrupting such criminal operations, as well as pursuing the perpetrators.