Office of the Information and Privacy Commissioner – Report P-2023-001/PH-2023-002 Released

  • Office of the Information and Privacy Commissioner

May 24, 2023

To view the Report in its entirety, please go to www.oipc.nl.ca/reports/commissioner.

Report: P-2023-001/PH-2023-002
Report Date: May 23, 2023
Public Body: Provincial Health Authority and Department of Health and Community Services.
Summary: The investigation by the Office of the Information and Privacy Commissioner (OIPC) into the October 2021 cyber attack on the provincial health system is now complete. The Investigation Report may be found on our web site at www.oipc.nl.ca under “What’s New” or click on “Reports” and navigate to “PHIA Privacy Reports” or “ATIPPA Privacy Reports.”

The Report was issued by Sean Murray, Director of Research and Quality Assurance, acting in the role of Commissioner’s Delegate, in accordance with the authority delegated to him by Commissioner Michael Harvey under section 103 of the Access to Information and Protection of Privacy Act, 2015 and section 80 of the Personal Health Information Act.

The Report contains 34 findings and six recommendations. All six recommendations are directed to the new Provincial Health Authority.

The Report found that significant cyber security vulnerabilities existed for some time prior to the cyber attack, that these vulnerabilities were known within the Centre for Health Information when it took over responsibility for cyber security from the Regional Health Authorities, and that the Department was informed in 2020, over a year prior to the cyber attack, that a threat assessment rated the chances of a cyber attack as “high” and the impact of such an event as “high.”

Efforts to reduce these vulnerabilities prior to the cyber attack were inadequate. The resulting cyber attack was the largest privacy breach ever experienced in this province, which saw the personal health information or personal information of the vast majority of our population taken by malicious threat actors. It was also one of the largest ransomware attacks in Canada to date.

The Report found that the Centre for Health Information took reasonable steps in investigating the cause of the cyber attack and attempting to contain the privacy breach. Many, but not all of the steps taken to notify affected individuals were reasonable. The Department took a leading role in what information would be disclosed and when, and it did not provide an adequate response to our questions to justify the delay in publicly disclosing certain details about the cyber attack.

The havoc caused by the cyber attack is not the end of the story. Since the date of the attack, substantial effort has been expended by the Centre for Health Information (now part of the new Provincial Health Authority) through a series of projects called Breakwater, which has significantly enhanced cyber security for our provincial health information systems. Our Report concludes that reasonable cyber security steps have been taken since the cyber attack, and work is continuing in order to mitigate the risk of a future cyber attack, and to reduce its impact should one occur.

Mr. Murray commented: “Cyber security is and will continue to be an ongoing arms race with organized crime as well as state-sanctioned actors who will not only attempt to extort us and breach our privacy, but also cause us to incur significant costs and harm actual health care delivery and other public services and critical infrastructure, potentially putting lives at risk. It’s nothing less than a matter of national security and needs to be treated as such going forward.”

Among the six recommendations, one is that the Breakwater projects be appropriately resourced and implemented within the time frame outlined in the plan, with the goal of ensuring that cyber security across the provincial health information system meets internationally accepted cyber security standards. “Bolstering security in the short term only to see it lag again over the medium to long term will see us just as vulnerable as we were in 2021, and that is not an acceptable option.”

Another recommendation is that the Provincial Health Authority create a Chief Privacy Officer position. Other recommendations focus on notification and information management policies.

Mr. Murray commented, “They say never waste a crisis, and indications are good so far that important lessons have been learned. However, those lessons must be fully integrated into the underlying philosophy and operational mandate of the entire health care system, not only in word, but in deed. There will be financial costs of course, but there are even greater financial costs if we fail. Failure would also mean the incalculable cost of losing public trust in our health care system, which has certainly taken a hit with this cyber attack. I hope this Report, by shedding light on the 2021 cyber attack and how our health care organizations responded to it and are working to prevent future such attacks, will help to restore some of that public trust.”

-30-

Media contact
Sean Murray
Director of Research and Quality Assurance
709-729-6309
commissioner@oipc.nl.ca

Background:
Commissioner Harvey recused himself from the cyber attack investigation on March 21, 2023, in response to a court application by government seeking to remove him from the investigation due to allegations of reasonable apprehension of bias based on Commissioner Harvey’s executive position with the Department of Health and Community Services prior to his appointment as Commissioner. While he rejected the allegations as unfounded, he nevertheless delegated responsibility for the investigation and issuance of the Report to Mr. Murray because of the delay that would have resulted from having the matter heard in court.

2023 05 24 11:55 am