In consultation with the Office of the Saskatchewan Information and Privacy Commissioner, eHealth Saskatchewan (eHS), the Saskatchewan Health Authority (SHA) and the Saskatchewan Ministry of Health are providing an update on the eHealth malware attack reported in January 2020 and advising Saskatchewan residents that a privacy breach of personal health information may have occurred as a result of the malware attack.
eHS, SHA and Ministry of Health take the safeguarding and protection of personal health information very seriously and immediately launched a months-long forensic investigation following the ransomware attack. Following the forensic investigation, eHealth advises that a breach of personal health information has potentially occurred. The breach impacted information on systems administered by eHS for the SHA and Ministry of Health.
While the forensic investigation rendered no evidence that personal health information was compromised, the investigation was unable to rule out a breach of personal health information. The inability to absolutely verify that no privacy breach occurred is leading to public notification of a potential privacy breach involving personal information or personal health information.
Upon discovery of the malware attack, eHealth Saskatchewan managed to contain and eliminate the malware and restore compromised files. However, the conclusion of a likely privacy breach follows findings in the forensic investigation that some files were sent to a suspicious IP address. Those files had been encrypted during the attack, and were restored from back-ups. Therefore, it is impossible to say with any accuracy precisely what information from the larger group of files was sent to the IP address.
eHS continues to monitor and scan the internet for any signs that Saskatchewan files have found their way into improper hands. The latest six-week scan was completed in November and to date there continues to be no evidence to show this has happened.
The ransomware attack occurred after an employee in the health care sector opened a suspicious attachment in an email and malware was spread throughout Saskatchewan’s IT system. This points to the limitations of cyber-security measures and the need for everyone to be extremely cautious about opening email attachments. This is particularly important at a government workplace, where sensitive information is held.
Since the malware attack eHS, SHA and Ministry of Health have intensified training for employees on the dangers of opening email with suspicious attachments. eHealth is also continuously making security upgrades to its IT network to strengthen the security environment.
All active SHA staff are required to take mandatory privacy training every three years or as directed. The SHA also has standard privacy and confidentiality policies, including requirements for staff to sign confidentiality agreements to help protect personal health information.
Since the malware attack eHS, SHA and the Ministry of Health have intensified training for employees on the dangers of opening email with suspicious attachments. eHS is also continuously making security upgrades to its IT network to strengthen the security environment. eHS has also recently procured a new program for providing IT security education to health system physicians and staff that will strengthen knowledge among health care workers about the steps they can take to better protect personal health information from malicious cyber-attacks
The OIPC has advised eHS, SHA and the Ministry of Health that the malware attack and subsequent response are a topic of a forthcoming investigation report by the OIPC. eHS, SHA and the Ministry of Health await the final findings and recommendations of the OIPC to inform further action that will be taken to address the breach and protect the personal health information of Saskatchewan residents.
This ransomware attack can serve as a reminder to health system employees and every Saskatchewan resident to take these basic steps and protect their information:
If you do suspect a breach of your personal health information, you can contact SHA’s Privacy Office at firstname.lastname@example.org
Anyone with a concern about privacy and protection of their personal health information can contact the Office of the Information and Privacy Commissioner: