Despite warnings, N.L. health officials didn't bolster cyberdefences before ransomware attack

Newfoundland and Labrador health officials did not act on a series of warnings and failed to adequately protect sensitive health information of hundreds of thousands of people before a ransomware gang launched a devastating cyberattack in 2021 that surreptitiously scooped up 200 gigabytes of data and paralyzed the province's health-care system.

That's among the findings of a 115-page report on the attack issued Wednesday morning by the Office of the Information and Privacy Commissioner. 

"The biggest question at the outset of this investigation for us was whether this cyberattack succeeded despite these [provincial health] entities having cybersecurity practices that met recognized international standards, or if it succeeded because those standards were not being met at the time," the provincial watchdog noted in the report.

"Unfortunately, we found the latter."

Security in the health information system "was lacking in a number of important areas" and internationally recognized, industry-standard cybersecurity measures were "either not in place or not fully implemented."

The report found that deficit left the personal health information and personal information of citizens of the province vulnerable to cyberattack — "which, under the circumstances, was almost an inevitability."

Investigators concluded that these vulnerabilities were known within the health-care system but officials failed to fix them.

As well, they believe more people were affected by the breach than previously disclosed by government and health officials.

"The total number of privacy breaches caused by the cyberattack is unknown but is likely to be in the hundreds of thousands," the report advised. 

"In other words, it is likely that the vast majority of the population of the province had some amount of personal information or personal health information taken by the cyberattackers, although the specific number may never be known."

The report called the data taken in the cyberattack "highly sensitive information that deserved the highest degree of protection."

However, the report found that "an impressive amount of work" has happened since the attack, to ensure that appropriate cybersecurity measures are in place across the health information system. 

"We are pleased to say that much progress has been made," the report noted. 

"A crucial consideration, however, is that this is not a one-time fix. Cybersecurity is an ongoing project, and it is essential that sufficient focus and resources continue to be directed to this task."