Scope of N.L. cyberattack grows as officials confirm breach of social insurance data

ST. JOHN’S, N.L. — Newfoundland and Labrador officials revealed Tuesday that personal data belonging to everyone who has had a COVID-19 test in the province was stolen by the hackers behind a cyberattack launched Oct. 30 against the provincial health-care system.

The head of the province’s largest health authority told reporters the breach also involved social insurance numbers belonging to 2,514 patients — 1,025 of whom are still alive — even though health-care workers aren’t supposed to request that information. 

Eastern Health president David Diamond said when patients are registered, there is an unnecessary input field for a social insurance number.

Advertisement

“We actually don’t see that there was ever a need for social insurance numbers to be collected that way,” he said Tuesday during a briefing in St. John’s. “And so we think that in many cases, this may simply have been human error, because the field was there.” Officials are putting together “mitigation plans” to ensure this information isn’t collected again, Diamond said. 

Though the attack hit provincial health-care networks about a month and a half ago, its impacts are still being uncovered. As of Tuesday, officials confirmed that patient or employee data from all four of the province’s health authorities had been stolen by the perpetrators, some of it going back 28 years. It was previously believed that just three of the authorities were affected.

Diamond also revealed Tuesday that anyone whose blood work was sent to Eastern Health for analysis in the past 11 years was part of the data breach. The hackers do not, however, have access to test results, COVID-19 tests included, he said. He could not say how many patients and employees in total were affected by the breaches.

As has been government practice since the attack was first announced, Justice Minister John Hogan offered no specifics on the nature of the attack and refused to say if a ransom had been paid. “There is, has been, and will be an ongoing security issue here,” he said. “The advice we take from the experts is to say what we said and nothing more at this stage.”

Hogan described the privacy breach involved in the attack as “one of the largest we’ve seen in the country,” though its scale is clearly still being assessed.

Advertisement

As for the affected systems, Diamond said they’re being rebuilt from scratch using backups. 

“We estimate we’re 65 or 70 per cent of the way there,” he said. “And with manual workarounds and other creative ways clinicians have been working, our services are all back, albeit not necessarily at 100 per cent.”

This report by The Canadian Press was first published Dec. 14, 2021.

Sarah Smellie, The Canadian Press

Advertisement