N.L. cyberattack costs approach $16M, health minister says
John Haggie tells legislative committee cash came from government contingency fund
There are some new details emerging about how much last fall's cyberattack — considered one of the most serious breaches of its kind in Canadian history — has cost the Newfoundland and Labrador government.
"We have had expenditures related to the cyberattack which are just fractionally under $16 million," Health Minister John Haggie told a legislative committee Monday evening.
"They were flowed through to the health authorities and the [Newfoundland and Labrador] Centre for Health Information."
Haggie was responding to a question from Tory MHA Paul Dinn, who asked about transfers to the Health Department from a government contingency fund.
Less than a month ago, Haggie told reporters at a provincial budget briefing that he didn't have that number.
"I can't tell you what the cost for last year is," the minister said April 7.
"The best place to look for that probably would be public accounts, because that would be the consolidated [expenses]."
The public accounts generally aren't published until October, or later.
After question period in the provincial House of Assembly Wednesday afternoon, Haggie provided more details.
He reiterated a provincial outlay of $5 million went toward credit monitoring services for people affected by the breach, and said the bulk of the remaining amount went to staff overtime.
"There was an awful lot of people working some awfully long hours," Haggie said. "My understanding from the centre and from Eastern Health is that there were basically IT guys in the building 24/7 for two weeks."
The minister added that a "small amount" went to consulting and legal fees.
The Canadian Press recently reported that the government forked out $200,000 on public-relations advice related to the cyberattack.
- $200K public relations aid for N.L. cyberattack didn't result in transparency, says expert
- More health info stolen in N.L. cyberattack than government originally reported
Government officials have been tight-lipped about most aspects of the cyberattack, which threw the health-care system into chaos from late October into November.
One expert called the attack the worst in Canadian history.
The province won't say who was responsible, whether it was a ransomware attack, or whether any ransom was paid.
Haggie again deflected those questions Wednesday.
"I can't comment on the nature of the incident any further," he said. "It's a security issue and there are investigations ongoing."
Haggie told reporters last month that an extra $3.8 million has been allocated for the next year to bolster security systems.
Progressive Conservative health critic Paul Dinn said the $16 million in spending revealed by Haggie sounds low to him.
"I'm surprised it's not higher," Dinn told reporters Wednesday. "In fact, I suspect it probably is higher."
Dinn said it's important to factor in costs incurred by individuals affected by the cyberattack.
In late March, officials said more than 200,000 files were taken from an Eastern Health network drive that might contain patient and employee information dating as far back as 1996.
Dinn acknowledged there is frustration with how the situation has been handled.
"If you're dealing with our information that's been obtained illegally, then you would like to know," he said.
"And to default to the fact that we don't want to give information to other hackers, are what I would call lame responses, because they've already hacked in."