N.L. sues to halt privacy commissioner's cyberattack investigation, citing 'bias' concerns
Court filings outline extent of watchdog’s probe, reveal government unease
The Newfoundland and Labrador government is going to court to stop the privacy commissioner from continuing to investigate the devastating 2021 cyberattack that threw the province's health-care system into chaos.
CBC News has obtained court documents that shed new light on the scope of the watchdog's probe and government concerns about it.
In court filings, the province says the investigation deals with issues that arose when commissioner Michael Harvey held positions of responsibility in the Department of Health, creating "a reasonable apprehension of bias."
Harvey was an assistant deputy minister of health before being appointed information and privacy commissioner in the summer of 2019. He also served on the board of the Newfoundland and Labrador Centre for Health Information for about two years, up to August 2019.
"As a matter of procedural fairness, therefore, the commissioner should not be permitted to lead the investigation or participate in it in any manner," the province says in court filings.
Harvey has yet to file a response at Newfoundland and Labrador Supreme Court.
But in past correspondence that was included with the government's court submission, Harvey defended himself, saying he reviewed precedent and concluded that his former roles raised no reasonable apprehension of bias.
"I gave careful consideration to this subject when deciding whether to launch an investigation," Harvey wrote in a letter to the province's four health authorities on March 28, 2022.
"I reflected on my time at the board and could recall no instance in which decisions were taken about cybersecurity during this period. In fact, I could recall no explicit discussions of cybersecurity during this period."
Watchdog looking at broad array of issues
The government filed its court action last week — the day after Justice Minister John Hogan revealed that the Hive ransomware group was behind the 2021 cyberattack.
At the time, Hogan continued to sidestep questions about whether a ransom was paid, citing security concerns.
The province also issued a 12-page report on what happened a year and a half ago.
The government's new court filings show that the privacy commissioner is looking at a broad array of issues.
In January, investigators sent a lengthy list of questions to the Department of Health, via lawyers at the Department of Justice.
That document — included as an exhibit in the government's own public court filings — includes details the province has previously insisted must stay under wraps.
It references a 2019 privacy and security posture assessment by Deloitte that was provided to the Newfoundland and Labrador Centre for Health Information. NLCHI is responsible for network security for all health authorities in the province.
More than a year ago, CBC News asked for that report, through an access-to-information request. The security assessment results and recommendations were almost entirely blacked out in the version released in response.
The letter from the privacy commissioner's office in the government's court filings reveals some of that previously excised information.
It says the Deloitte report identified a number of cybersecurity weaknesses and gaps and "also confirmed that neither NLCHI nor the regional health authorities were fully compliant against the international cybersecurity standards they were measured against."
Investigators asked whether the Health Department received that report and whether they provided resources or funding to NLCHI to address those cybersecurity gaps.
Black ink erased in 'no red flags' assessment
The commissioner's office also had questions about a 2020 cyberthreat assessment that then health minister John Haggie spoke publicly about last year, to rebut CBC News reporting about flaws identified in the system by a consultant.
At the time, Haggie said that threat assessment "highlighted no red flags."
- Haggie downplays cyber-risk 'business proposal,' says threat assessment found no red flags
- CBC INVESTIGATES | Long before N.L. cyberattack, report flagged flaws in system
CBC News subsequently asked for that document, through an access-to-information request, and received a partially redacted version. It was titled "Ransomware: Threat and Mitigation Plans."
The letter from investigators included by the province in the public court file references sections that appear to have been previously blacked out:
- "Significant IT vulnerabilities exist, with new vulnerabilities identified daily such as outdated OS, unpatched systems, software flaws."
- "NLCHI, under the existing mandate, will require significant effort to elevate all eHealth IT environments to an acceptable level of security."
Investigators with the privacy commissioner's office asked what the department did to address those concerns.
The commissioner's office also said it understood that a number of people at the department were asked to sign non-disclosure agreements. Investigators asked who signed such an agreement, and requested a copy so they could see the wording.
In total, the watchdog sent questions spanning 16 separate subject areas, in a letter that ran a dozen pages.
- CBC INVESTIGATES | Cybersecurity framework still not finalized after 3 years, N.L. agency blames COVID-19 for delay
In its court application, the government says a significant number of those questions and information requests relate to the period when Harvey was an assistant deputy minister, including time when he was on NLCHI's board.
"The commissioner is purporting to carry out an investigation that includes events that occurred and decisions that were made when he was one of the people responsible for overseeing the events, and making the decisions, in issue," the filing noted.
"Given the magnitude of the cyber event and the importance of the investigation, having the commissioner conduct the investigation would be unfair, and should not be permitted to continue."
The province didn't return a request for comment sent Monday afternoon.
In an email, Harvey said he is reviewing the documents with staff and his solicitor, and may be in a position to comment Tuesday afternoon or Wednesday morning.
The matter is on the docket at Newfoundland and Labrador Supreme Court for April 6.
As of December, the number of patients and employees affected by cyberattack-related privacy breaches topped 58,000 — more than one in every 10 people in the province.
The commissioner's investigation is being carried out under provincial privacy protection laws, including the Personal Health Information Act.