N.L. government doesn't know who might have patient and employee data hit by cyberattack
'We deeply regret that this incident occurred,' says health authority CEO
Newfoundland and Labrador Health Minister John Haggie and Justice Minister John Hogan say patient information from the Central Health regional authority has been accessed as part of the cyberattack on the province's health-care system — but they don't know whether it's been stolen, or by who.
The news comes one day after officials said both patients and employees in the Eastern Health and Labrador-Grenfell Health regions had their personal information stolen in the same cyberattack.
The government says it doesn't know who might have the personal information of potentially hundreds of thousands of patients and employees from all three of the health authorities.
Officials had earlier indicated the information from Eastern Health and Labrador-Grenfell had been stolen, but backed off from that on Wednesday.
"Based on investigations to date, we currently understand that certain data was accessed. The investigation is also focusing on the impact of that access to determine what, if any, data was taken," said Hogan.
He said there is no evidence the information has been misused.
The breach in all three health authorities includes basic patient information such as names, birthdays, addresses, email addresses, phone numbers, medical care plan numbers, marital status, in-patient and outpatient times and the name of the person's family doctor.
Officials said the personal information of Eastern Health employees going back 14 years, and Labrador Grenfell-Health employees going back nine years, has been accessed.
Central Health CEO Andrée Robichaud said employee information going back 13 years appears to have been accessed but the health authority can't yet confirm it.
That information includes names, addresses, contact information and social insurance numbers. Haggie said there is no indication banking information was included in the breach, but the government will be providing credit monitoring services.
"We deeply regret that this incident occurred," Robichaud said.
Robichaud said Central Health has no evidence to indicate that vendor data has been accessed.
Haggie said Western Health patient and employee data has not been accessed, although he would not say how that was determined.
Officials still cagey, cite security concerns
Officials have not said who is behind the health-care system disruptions, and on Wednesday again refused to confirm the nature of the cyberattack. Sources have told CBC News the breach is a ransomware attack.
Haggie said the province has engaged cybersecurity experts to help in the response to the attack, but has not said who those experts are.
Haggie would not say how the data was accessed, or whether it was encrypted, although officials said Tuesday the data was unencrypted.
"Our advice from world-class experts is to say nothing," Haggie said.
In an interview Wednesday morning, Information and Privacy Commissioner Michael Harvey said his office was first informed of a possible data breach more than a week ago. Haggie said the government did not share that information until it was confirmed for security reasons, and because it did not want to fuel speculation.
"It's a balance about transparency and speculation," he said.
Haggie said the Health Department does not have detailed numbers on how many people have been affected by the breach, beyond noting that there are about 400,000 medical interactions per year in the N.L. health-care system.