[BreachExchange] eHealth can't rule out theft of personal information in cyberattack

[Destry Winant]

https://thestarphoenix.com/news/saskatchewan/ehealth-cant-rule-out-theft-of-personal-information-in-cyberattack

New evidence suggests a significant number of files were transferred
to “suspicious” IP addresses in a recent cyberattack against the
province’s electronic health system — meaning eHealth Saskatchewan is
no longer certain personal information was not compromised.

An investigation by SaskTel found that the files were sent to
“suspicious” IP addresses during a ransomware attack against eHealth
Saskatchewan on Jan. 5.

Since the files were encrypted, CEO Jim Hornell said he can no longer
rule out the possibility that personal information may have been
compromised

“We can’t unequivocally say whether they have it or not,” Hornell said.

Ransomware attackers hold a user’s own files hostage, demanding
payment for access to them. So far, no similar ransom demand has been
made to eHealth for the stolen files.

However, many hackers monetize stolen data in other ways — by selling
it to third parties on the Internet or by weaponizing personal data to
make further cyberattacks against the people whose data was stolen.

Brett Callow, a threat analyst with global cybersecurity firm
Emsisoft, said the absence of a ransom demand is not a clear sign the
hackers intend to monetize the data by selling it — they may have
failed to get the information they wanted, or are waiting for eHealth
to reach out before stating their ransom.

Public agencies like eHealth are increasingly becoming targets for
hackers because of the relative weakness of their security systems and
the wealth of personal data they manage. Hornell said he estimates
eHealth receives “thousands” of hacking attempts.

Callow said many of those firms, like eHealth, rush to claim they have
no evidence of losing personal data — until that possibility becomes
apparent after a forensic analysis.

“Absence of proof is not proof of absence,” Callow said.

Hornell said eHealth’s security systems are strong, although
provincial auditor’s reports dating to 2007 have highlighted gaps,
particularly the lack of a disaster recovery plan. That plan has been
“partially implemented,” according to a 2018 update from the auditor’s
office.

The provincial Office of the Information and Privacy Commissioner
(OIPC) is investigating the eHealth breach for any evidence of
personal data being compromised, and the provincial auditor will
examine security practices as part of a routine review.

The provincial opposition is also renewing a call for a security
review of ministry and agency sites.

“The news that the recent data breach led to public health files being
taken is cause for great concern,” NDP health critic Vicki Mowat said
in a release. “Even more concerning is that eHealth doesn’t know what
those files contained or how much of Saskatchewan people’s health data
has been compromised.”

Hornell said eHealth has contracted a third party to “scour the
Internet” for any signs of hackers selling the data. In the meantime,
he said the organization has successfully “eradicated” any remaining
trace of malware and restored all files it lost.

Callow said most hacker communities where this information is sold can
only be accessed by other criminals.

“You have to prove you’re a bad guy before you even get in,” he said.

Hornell agrees it will be hard to locate.

“We may never know for sure exactly what is in those files,” he said.