One of Canada’s leading privacy experts is outraged that hackers were able to access the data of thousands of patients and hospital employees in the Newfoundland and Labrador healthcare system.
“It’s appalling,” former Ontario privacy commissioner Ann Cavoukian, now executive director of the Global Privacy and Security by Design Centre, said in an interview. “What is wrong with these people in terms of the lack of security?”
Last week the province acknowledged that at the end of October, unnamed attackers accessed what it called basic admitting information of hospital patients as well as current and former employee data in three of its four health districts.
In the case of the biggest, the Eastern Health authority — which includes the provincial capital of St. John’s — data goes back 14 years. For another region the data goes back 13 years and the third region nine years.
The government has given few details about the attack because there is an ongoing investigation, and it doesn’t want to divulge security-related information to hackers who are watching the press conferences. One thing is clear: The data wasn’t completely segregated. Provincial health and community services minister John Haggie told reporters last week that “health and employee information is shared across a network.”
The province stresses that — so far — there is no confirmation any data was copied. That drew scorn from Cavoukian. “If data has been accessed the potential for it to be copied and rendered in ways that were never contemplated escalates dramatically … That’s pretty lame [saying] the data has been only accessed.”
Haggie has refused to say how many people’s data was accessed. However, he did say that every year there are about 400,000 interactions between the public and the healthcare system. “So the math could be quite large,” he said.
For patients, the accessed data includes basic information that is typically logged when a patient is admitted including name, address, health care number, their doctor, phone number, birth date, email address for notifications, in-patient/out-patient, mother’s maiden name, and marital status.
For current and former employees, the information includes name, address, contact information, and Social Insurance Number. There is no evidence that banking information of employees was involved, the government says.
“It’s very sensitive [data], and not just the data of employees,” Cavoukian said. “Hundreds of thousands of patients are affected. This is sensitive health information. Why wasn’t it encrypted? Why were there not security measures associated with this? I think it was just overlooked all these years.”
Haggie’s office was asked Monday morning for comment on Cavoukian’s comments. No response was received by press time.
Asked how current and historical data should be protected, Cavoukian said there should be no distinction. “Both require very strong data protection and security measures. Just because it’s historic data doesn’t mean it’s no longer relevant or harm can’t be inflicted if it’s accessed. The same kind of [protective] measures need to be extended to both in terms of the protection that was required. That was clearly lacking in this case.”
Meanwhile the Toronto Transit Commission last week acknowledged the data of 25,000 current and former transit employees was copied in a ransomware attack.
“What I don’t understand,” said Cavoukian, “is you hear these stories [of data breaches] quite frequently now. Why isn’t this sending a message to everybody, both public and private sector: we have to strengthen our security measures? The potential for risk, for hacking is enormous. And it’s escalating. So why aren’t people escalating their security measures?”
The reason, she believes, is organizations are sticking their heads in the sand. “Honestly, I think they are saying, ‘It won’t happen to us. The odds of us being at risk are minimal.’ Which is nonsense. Maybe they don’t know what to do. They can easily find out what to do. But maybe they don’t have the resources in place to strengthen their cybersecurity measures.’
Asked what companies tell her, Cavoukian said officials tell her they are aware of the risk “and they are ramping things up now. Whether they are or not I don’t know. But it doesn’t appear that governments are doing that. I hope I’m wrong.”
The best practice for protecting data is encryption, she stressed. Many cybersecurity providers offer encryption services, she pointed out, “so it’s not like you need in-house expertise.” In addition, she added, access to sensitive data has to be restricted to a limited number of employees, again to reduce the risk that hacking one employee leads to the compromise of most data.
Her message to organizations: “In this day and age, with daily phishing attacks and hacking, if you don’t have a strong foundation of end-to-end security and full lifecycle protection you’re not going to have any privacy. So please lead with the strongest security you can imagine.”
Haggie said that “at some point, down the line,” more detailed answers to questions about how the Newfoundland attack started and why data wasn’t better protected will be made public by the government.
Meanwhile the provincial information and privacy commissioner has opened its own investigation.