The federal agency that helps protect Canadians against epidemics came down with a devastating case of computer cramps last year that could have put lives at risk.

Hundreds of computers at the Public Health Agency of Canada fell victim to a "worm," a bit of malicious software that nearly brought operations to a halt.

The infection began with just a few computers but spread like a Prairie grass fire, eventually knocking out 1,308 work stations in three cities and taking more than a month to eradicate, say newly released documents.

The "worm" also spread to Health Canada when infected agency computers tapped into the bigger department's data network, disabling 543 additional work stations in five of Health Canada's Ottawa-area offices.

The attack is estimated to have cost the agency up to $1.5 million, including down time for employees made idle by their ailing work stations. More than 50 technicians and other experts struggled for weeks to contain the damage.

A Nov. 26, 2007, post-mortem report on the emergency warned that "the total cost of this incident could have been higher if this event occurred during a time of public health crisis, including loss of life."

The Canadian Press reviewed a 600-page file on the attack obtained through the Access to Information Act.

Error messages began chain of events

The trouble began mid-afternoon on Monday, Jan. 15, last year when a few computer users at the agency and at Health Canada reported getting error messages.

The next day, at least 50 users were unable to connect to the shared Health Canada network. By the following week, up to 80 per cent of work stations at the Public Health Agency of Canada were infected in Winnipeg, Guelph, Ont., and the Ottawa area.

"Any documentation residing on the network, desktop, computer or server could have been compromised; most of network was affected," says an "injury assessment" from Feb. 8.

Government protocols require that sensitive, confidential information about patients, doctors, drugs, and so forth be stored on a highly secure server. But the injury assessment noted that "there is a lack of technical and administrative controls to control and audit the unauthorized storage of information on corporate desktops."

The released file suggests officials could not determine for certain whether confidential information leaked out.

And spokespersons for the public health agency and for Health Canada did not immediately respond to requests for comment and clarification, such as what kinds of sensitive information was placed at risk by the worm infestation.

The post-mortem report said officials were not able to identify the precise origin of the attack, but noted that it spread rapidly by exploiting known vulnerabilities in Microsoft Windows and in Symantec Client Security and Antivirus software.

Fixes, or patches, had been available to repair the vulnerabilities well before the worm attack "but were not rolled out to desktops prior to the outbreak."

The agency eventually brought in outside help, the consulting firm Third Brigade, which fought the persistent worm for 26 days. "In some cases, the machines were re-infected within 30 seconds of being cleaned," the company said in a report.

Unlike software viruses, which attach themselves to programs and files, worms are designed by hackers as stand-alone entities to interfere with computer operations.

They propagate through e-mail or weak security points in common software and, once in place, can be used by the attacker to remotely access sensitive, confidential information.

The worm that attacked the agency (W32/IRCBot-TO) was first identified in January 2007, joining thousands of other worms that have been launched into cyberspace over the last few years.