Some time between December 2019 and January 2020, eHealth Saskatchewan, the province-wide health delivery service, fell victim to a Ryuk crypto-ransomware attack, exposing the personal and medical information of more than 500,000 people. According to Ron Kruzeniski, Saskatchewan’s Information and Privacy Commissioner, the incident has been declared the largest data breach in the province’s history.
Following an investigation, the organization announced that the infected servers contained 50 million documents, related not only to eHealth, but also to Saskatchewan Health Authority and the Ministry of Health. Approximately 5 million of these documents contained personal information, which was then analyzed with a proprietary tool to identify the impact of the attack.
Overall, it was hard to determine if malicious actors had stolen data, or which type of information had specifically been compromised, due to them being encrypted. Some 40GB of data were accessed by IPs in Germany and the Netherlands.
In this case, it was enough for one organization to get infected and then operate as a third-party vulnerability for two other major government organizations, whose files were kept on the same servers.
In a separate statement, eHealth had stated in 2020 that a CAD$150 million investment was required to upgrade outdated hardware and software.
“A major equipment failure which may disrupt service and risk lives appears inevitable with the current funding model,” a prescient memo read at the time.
The human error factor
How did the Ryuk ransomware attack occur? Since human error has been described as the weakest link in an organization’s cybersecurity strategy, it should not come as a surprise that it is at fault in this very case. For instance, as many as 90% of data breaches in the UK in 2019 were directly linked to human error, as was the already infamous Equifax breach.
One of Saskatchewan Health Authority’s employees opened an infected file on a personal device connected to their workstation by USB. Human errors are often unintentional, yet there are those rare situations where malicious intent is behind it all. In this case, despite being trained on privacy issues, the employee was simply not aware of additional cybersecurity risks. This emphasizes the need for regular cybersecurity and privacy training to ensure employees are aware of and can recognize potential threats.
Business and financial implications
Healthcare is a critical sector actively targeted by ransomware attacks. Last year, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the U.S. Department of Health and Human Services (HHS) warned that this type of cyber threat has been increasing against healthcare organizations, which need to focus on mitigation and defense strategies. Moving forward, critical organizations will have to focus their efforts on multiple disaster recovery plans, as well as on improving network access monitoring.
It is worrying that the Ministry of Health was aware of ransomware exposure sometime mid 2020 and did not immediately inform authorities about the breach, Kruzeniski said. Additionally, eHealth did a poor job investigating the incident and communicating about the disruption, IPC added. This wobbling approach only allowed the information to be exposed for longer, with Saskatchewanians left unaware of which personal details were affected, for how long and by whom.
According to the province’s auditor, significant time was wasted with recovery and multiple critical systems were inoperable. It will be interesting to observe how this security breach will be dealt with under the Personal Information Protection and Electronic Document Act (PIPEDA), Canada’s federal law on patient privacy.
However, it is not solely about potential fines and that heads will roll. The failure to publicly announce the data breach as soon as it occurred will likely trigger trust concerns among patients, and possibly even among future business partners. Naturally, cost is not something to be neglected in this case, either. Let’s not forget that not only was a large volume of data compromised, but business operations were affected and IT systems were crippled for a protracted period. Although it occurred last year, it will take time, effort and financial resources to fully recover from this event.
These situations may be prevented if organizations invest in security practices and training for their employees, regularly patch software vulnerabilities to prevent exploits, and invest in security tools to automate monitoring.