NL

Some patient SINs stolen in N.L. cyberattack

More than a month later, the provincial government still won't talk about the nature of the attack or who's to blame.

More than a month after attack, government still won't give details about the attack or who's to blame

Newfoundland and Labrador Justice Minister John Hogan, along with the CEOs of all four provincial health authorities, will provide an update on the cyberattack that has disrupted the Newfoundland and Labrador health-care system since Oct. 30. (Government of Newfoundland and Labrador)

The social insurance numbers of more than 2,500 patients were stolen in an October cyberattack on Newfoundland and Labrador's health-care system — and the head of the province's largest health authority says they weren't even supposed to have collected that information.

During a media briefing on Tuesday, Eastern Health president and CEO David Diamond said social insurance numbers are not normally collected during registration, and the health authority is reviewing how and why that information was collected.

"Mitigation plans are being developed as we speak to prevent this from happening again," Diamond said.

He said there is a field for collecting social insurance numbers on the patient intake form, and employees may have accidentally collected them during patient registration.

"We actually don't see that there was ever a need for social insurance numbers to be collected that way," he said. "In many cases this may simply have been human error."

Most of the 2,514 patients affected are in the Eastern Health region, but there are some in the Central Health and Labrador-Grenfell Health regions.

On top of that, other personal health information of patients from all four regional health authorities who have had blood work or other laboratory tests ⁠— including anyone who's had a COVID-19 test ⁠— analyzed through Eastern Health has been stolen.

While personal health information was accessed, test results were not, said Diamond.

More employees affected

The health authorities have also changed the time frame to include more employees.

Eastern Health previously said employee and patient data going back 14 years had been taken in the attack.

On Tuesday, Diamond said the investigation shows employee data going back 28 years and patient data going back 11 years has been compromised.

"We will be making every effort to identify individuals and ensure that they are notified," Diamond said, though he also encouraged people to be proactive if they believe their information has been compromised. 

Of the 2,514 patients who had their social insurance numbers stolen, 1,970 are in Eastern Health, though the majority are now deceased said Diamond. Eastern Health is notifying 900 patients that their social insurance numbers have been compromised, he said.

In the Central Health region, employee data going back 28 years and patient data going back 15 years has been stolen, said Diamond, who said 520 patients have had their social insurance numbers taken, though most of them are now deceased.

WATCH: N.L. health officials provide update on cyberattack

In the Labrador-Grenfell Health region, the social insurance numbers of about 20 patients have been stolen, though four of those patients are now deceased, said CEO Heather Brown. 

"We will be contacting the remaining patients through mailed letters," Brown said.

The investigation has now confirmed that employee information going back eight years has been compromised, rather than nine years as previously reported. The breach still goes back nine years for patient information. 

In Western Health, interim CEO Michelle House said their systems were not breached, but some patients' personal health information that was part of laboratory tests — like blood work or COVID-19 tests, which are sent to Eastern Health for analysis — has been compromised.

She said there is no evidence to suggest the social insurance numbers or test results of Western Health patients have been stolen.

Patients who have had their personal health information compromised in the cyberattack can avail of two years of free credit monitoring, while employees and patients who have had their social insurance numbers stolen can avail of five years of credit monitoring, paid for by the province.

No new info about perpetrators

Justice Minister John Hogan wouldn't give any new information about the investigation into the attack but said most systems and services have been restored.

"We're not in a position to speculate and provide speculative information to the public," he said.

Hogan said he doesn't know how much the cyberattack will cost the province. He said the province is strengthening its IT systems but did not provide specific information about which systems are being strengthened and how.

"We are going to do everything we can in our power to strengthen our IT systems as we move forward," he said.

Diamond said he can't explain why data going back 28 years was stored on an unencrypted server.

"That will be part of the ongoing investigation and review," he said.

In November, PC Opposition leader David Brazil pointed to Meditech, the system that manages health-care information in the province, as a possible weak point in cybersecurity that might have allowed the cyberattack to occur.

On Tuesday, Diamond said that while the Meditech system is aging, there is no indication it was a factor in the attack.

"It is an old work engine that has served us well for a long time," he said.

Read more from CBC Newfoundland and Labrador