Privacy commissioner promises investigation into N.L. cyberattack

Michael Harvey says his office's investigation will look at whether the information was held according to industry standards.

Michael Harvey says investigation will look at whether the information was held to industry standards

Michael Harvey, Newfoundland and Labrador's provincial information and privacy commissioner, says his office will open an investigation into the cyberattack and the government's response. (Patrick Butler/Radio-Canada)

Newfoundland and Labrador's information and privacy commissioner says his office will be investigating the cyberattack that has hamstrung the province's health-care IT systems for nearly two weeks.

Michael Harvey's announcement comes after this week's news that as part of the attack, hackers have stolen the personal information of patients and employees in the Eastern Health and Labrador-Grenfell Health region.

Officials have said the stolen information was unencrypted, meaning there were no safeguards to prevent the hackers from reading it. Harvey said his office's investigation will look at whether the information was held securely and according to industry standards.

"Was it a deficiency on the part of Newfoundland and Labrador in keeping up to industry standards? Or was it a problem that the criminals are just one step ahead of even the industry standards?" said Harvey.

Harvey said his office was informed of a possible data breach on the Monday after the attack, more than a week before the government publicly said information had been stolen. He said his office received official confirmation Tuesday, the same day as the public.

With tens of thousands of employees and hundreds of thousands of patients affected, said Harvey, the breach is far and away the largest in Newfoundland and Labrador history.

PC Leader David Brazil, left, and NDP leader Jim Dinn called on the government Wednesday to be more transparent with the public about the cyberattack and the stolen patient and employee data. (Mark Quinn/CBC)

The opposition is also calling for answers after Tuesday's announcement of the data theft.

PC Leader David Brazil and NDP Leader Jim Dinn both told reporters Wednesday at they learned of the data breach on Tuesday but weren't sure how long the government knew about it before sharing the news with the public.

"Government needs to be proactive. They need to be out front of it. People need to be reassured," Brazil said. "This is about people's immediate response now and their immediate fears about what's going to happen with their credit ratings and their financial information." 

News of the breach was the latest development in the 11 days since a cyberattack halted much of the province's health-care system, including surgeries, tests and other non-emergency procedures.

According to government officials, the information was accessed through the health-care system's Meditech information database.

The breach involves basic patient information, including names, birthdays, addresses, email addresses, phone numbers, medical care plan numbers, marital status, in-patient and outpatient times and the name of the person's family doctor.

Personal information — including names, addresses and social insurance numbers — of Eastern Health employees going back 14 years and Labrador Grenfell-Health employees going back nine years has also been breached, said officials. Health Minister John Haggie said there is no indication banking information was included in the breach. 

"We've got tens of thousands of health-care workers whose information has been compromised by this breach, they need to feel secure," Brazil said.

PCs call for debate, NDPs want answers

Premier Andrew Furey said a public notification process is underway to outline what steps people should take to protect themselves from identity theft and monitor their financial information. The process includes online resources and a toll-free phone number.

Dinn said the government needs to outline its cybersecurity measures and explain how the breach occurred.

"That will be the only way we can put it in the measures needed to hopefully prevent such future attacks," he said.

He suggested budget cuts led to deterioration of cybersecurity measures guarding Newfoundland and Labrador's health-care system. 

"We know that these attacks happened … throughout the world. Were we totally prepared?"

Read more from CBC Newfoundland and Labrador

With files from Mark Quinn, Patrick Butler and Alex Kennedy