[BreachExchange] Health ministry won't offer identity protection to people affected by cyberattack

[Destry Winant]

https://thestarphoenix.com/news/saskatchewan/health-ministry-wont-offer-identity-protection-to-people-affected-by-cyberattack

Saskatchewan’s Minister of Health says the province will not provide
creditor or identity protection for people whose personal information
was stolen in a cyberattack on the provincial health system.

Saskatchewan’s information and privacy commissioner Ron Kruzeniski
said in a report earlier this year that as many as 50 million files
may have been breached in the attack on eHealth Saskatchewan and
recommended the government provide identity theft protection to anyone
whose data appears for sale online, or any concerned person who
requests it.

Health ministry won't offer identity protection to people affected by
cyberattack

Health Minister Paul Merriman said that was the only recommendation
from the commissioner’s 51-page report the government did not accept.

“We thought that was a very challenging thing to do, to be able to
offer that up,” he said, adding that information from the hack had not
yet appeared on the Internet.

“We felt that that recommendation wasn’t needed.”

Merriman removed eHealth’s board members from their roles in January
after the release of the commissioner’s report, replacing them with
two high-ranking bureaucrats he says are now working to ensure the
agency is doing its job.

The report said eHealth did not have enough IT monitoring or security
protections to detect the hack and lacked adequate training for staff.
It also cited another report pointing to a fractious work environment
that resulted in a “hodge podge of unintegrated security solutions
being deployed, in various configurations, being operated in various
parts of the organization and any attempts to improve the overall
security posture of the organization met with resistance and often
futility to the point where staff are frustrated and defeatist.”

Kruzeniski said he was disappointed the government did not accept his
recommendation about identity protection, even if it’s unclear how
many people’s data was actually compromised by the hack.

“At this point, we don’t have a designated list of individuals that
were impacted. But if that list ever develops or comes to pass, then
obviously I think that’s something that should be done,” he said.

Kruzeniski said he was pleased by the significant funding boost
eHealth received in this year’s budget. The agency will get $15.3
million, an increase of around 13.8 per cent of its existing budget,
for services and technologies to keep personal data safe. Kruzeniski
said that’s good news, given the sensitivity and importance of
information in the database.

“I’m very excited about that, because it allows eHealth to begin to do
some of the work on the recommendations or other security issues they
have,” he said.

Kruzeniski’s report gave the government a nine-month timeline to
address his recommendations; he said he received his first quarterly
report recently.

Merriman would not say when more information will be available to the
public, but added that the agency’s new board is “drilling down” into
problems at the organization.

“They’re spending this time, right now, drilling down into the
governance, and they’re also drilling down into management to find out
where we can make improvements with eHealth so this doesn’t happen
again.”