Health Authority changing security policy after probe into cyberattack
Office of the provincial privacy commissioner says risk of patient information exposure is "high"
The Nova Scotia Health Authority is reviewing its email and security policies after 2,841 patients had information about surgeries exposed during a phishing attack last year.
However, the health authority disagrees with an opinion from the office of the province's Information and Privacy Commissioner that there is a "high risk" that personal health information could be "readily transported and utilized by malicious actors."
"We're studying the recommendations," said Karen Hornberger, provincial director of privacy for the NSHA. "It's a little premature to say whether or not we're going to accept all of them at this point.
"Right now we are studying the feasibility of undertaking all the recommendations. However, we have taken steps for some of them."
Those steps include working with the provincial IT provider to make sure all evidence is preserved after a cyberattack.
NSHA promoting anti-phishing
Hornberger's office is also working on a stronger protocol that will outline exactly what steps to follow in case of a cyberattack like the one that happened last year.
Around May 8, 2019, one NSHA employee fell victim when she received an email that pretended to be from the IT department. The employee entered her username and password, which allowed the attacker to get access to her email account.
That employee was responsible for tracking wait times. To help in that job, she received automated emails with reports on patient data.
There were 95 documents in Microsoft Excel and Adobe PDF format attached to emails in the compromised account.
The documents concerned patients at the Colchester East Hants Health Centre in Truro. They listed the type of procedure, the date it was performed or scheduled, the staff assigned along with the patient's name, date of birth and health-care number.
Thousands of spam messages
The compromised account began sending out thousands of spam messages, both to other NSHA employees and to Hotmail and Gmail accounts.
On May 10, other NSHA users reported the compromised account was sending out spam. The provincial IT department that provides services to the NSHA eventually changed the employee's password on May 13.
The attacker, or attackers, had access to the email account for about five days. The NSHA doesn't know who launched the attack or why it happened.
The IT department was not able to tell the NSHA the location where the attacker logged in, how many times the attacker logged in, the amount of time the attacker spent logged in or whether the attacker downloaded any of the attachments containing patient information.
Notification to patients
About a month after the breach, the NSHA notified patients and the public about a "potential" privacy breach.
The breach was called potential because the NSHA was not certain whether the attackers took any of the sensitive attachments, but Hornberger thinks it's unlikely.
"When you look at some of the risks such as financial fraud, the risk of financial fraud is not there with this information," she said.
No patient SIN numbers, credit card information, or banking information was in the compromised email account.
The NSHA has 30 days to review the report. It will be sending out updated letters to all 2,841 patients based on its findings.
The report written by Janet Burt-Gerrans, the acting director of investigations and mediation for the Office of the Information and Privacy Commissioner, disagrees with the NSHA's assessment of low risk at the time of the attack.
Burt-Gerrans's research suggested personal health information is valuable because it does not expire, and that it is a valuable commodity in the "black market" of personal information.
"With health data, individuals cannot cancel or otherwise reissue their personal health information. It remains accurate and valuable in perpetuity," she wrote.
Burt-Gerrans said fraudsters in the United States have filed false claims to health insurance plans to get money.
Since the attacker had access to the account for five days, Burt-Gerrans concluded the account could have been used for more than phishing other people.
"It is not reasonable to conclude that the attacker did not also look around within the email account to steal any useful or valuable information," Burt-Gerrans wrote.
Limited value information?
Hornberger said because there were no SIN numbers or any other financial information exposed, the risk of financial fraud is much lower than in the United States, where patient information is often linked to social security numbers.
"The risk of someone taking someone's account and pretending to be them and opening up a financial account or some sort of scam like that is much, much lower than it would be in the States," she said.
Hornberger said the information about surgeries and health-card numbers have limited value for fraud.
"The information such as what surgery procedure you were scheduled to have or did have, absolutely is sensitive and private and should always remain private," she said.
"We do acknowledge that any potential breach of that is egregious, and it shouldn't happen and it's unfortunate that it was potentially exposed in this way. But we still feel based on the limited amount of information that was potentially exposed that the risk is low."
The NSHA received the report on Feb. 26, and has 30 days to respond.
The six recommendations Burt-Gerrans made are:
- Within 30 days, the NSHA should establish written and specific service standards and protocols for its IT providers for responding to cyber threats.
- Immediately begin monitoring the dark web for personal health information from this breach, for two years
- Provide the 2,841 affected patients with more comprehensive information about what happened in the breach within 30 days
- Immediately stop using email to deliver aggregated data and reports about personal health information.
- Tell all NSHA employees to securely destroy emails containing personal health information in their accounts within 30 days
- Change its records retention policies within six months to require employees to destroy "transitory" records of personal health information after they're no longer required.
The province's new Information and Privacy Commissioner for Nova Scotia, Tricia Ralph, took over the job on March 1.
In an email to CBC, Ralph wrote that she endorsed the report written by Burt-Gerrans, and she finds it a "well written and reasoned decision."
MORE TOP STORIES