Five months after a ransomware attack locked the computer systems storing confidential medical data of Saskatchewan residents, eHealth Saskatchewan says it’s going to take a while to restructure its IT infrastructure, and that it’s still unsure who stole the data or where it is.
The health agency’s chief executive officer Jim Hornell confirmed in February that the virus first entered the eHealth system on December 20, 2019. Employees didn’t discover there was a problem until they tried to open files on Jan. 6 and were asked to hand over bitcoin in exchange for the encrypted data.
It wasn’t long after the agency’s IT team discovered files from some of its servers had been sent to suspicious IP addresses. Unfortunately, not much progress was made since then to identify what data was taken, who took it, or how it’s being used. No ransom has been paid. Hornell was not available for comment, the agency told IT World.
“As we outlined publicly in early February, eHealth discovered some files were sent to IP addresses outside of eHealth’s environment. Those files were encrypted and password protected by the attacker. This makes it difficult to determine the exact content of those files,” wrote Ian Hanna, director of communications for eHealth Saskatchewan in an email to IT World. “Longer-term work on re-organizing and restructuring eHealth’s IT architecture will continue for several more months.”
Law enforcement and privacy officials have been kept up-to-date on the forensic investigation, wrote Hanna. He also confirmed that eHealth had hired outside help to determine if any files were illegally sold. As of now, no trace of such activity has been found. The agency’s website says, “should it be determined that personal health information has left the organization, the public will be advised.”
The other steps that were taken to protect its computer systems since the initial attack include updating password protocols, updated protection software the introduction of multi-factor authentication for crucial systems, added Hanna.
There was a total lack of visibility of the health agency’s computer network, according to David Masson, director of enterprise security at Darktrace. Unfortunately, it’s a common problem with many companies, he said.
“It’s too late to really do much once you discover there’s a problem because by then, the damage is done,” Masson said.
One of the other disturbing details of the attack against eHealth Saskatchewan is how files from some of its servers had been sent to suspicious IP addresses, he indicated. This could reflect a more sophisticated ransomware attack akin to the one that crushed an agricultural services company earlier in June.
In that cyber attack, a website called “Happy Blog” run by threat group dubbed REvil auctioned off data it says was stolen from a London, Ont., company that offers crop advisory and protection services. The auction notice said the data available included accounting documents and customer accounts for the last three months.
“With eHealth, there was never any ransom paid, but we’ve seen that the data has left [the data centre] and turned up in various other places,” said Masson.
When it comes to action items on the part of residents whose data might be compromised, Masson suggested additional vigilance. Be wary of strange emails, text messages and phone calls. And it doesn’t hurt to check bank statements every once in a while, he added.