Saskatchewan’s Minister of Health says a report released by the province’s Information and Privacy Commissioner Friday contains several troubling findings and recommendations regarding a data breach as well as the subsequent events which occurred and actions taken. Paul Merriman says, “Saskatchewan people expect their personal health information to be secure and protected.” And he said that failed when eHealth’s systems were breached January 2020.

It wasn’t until just last month, on December 22nd, that the Ministry of Health and the Saskatchewan Health Authority let the province’s residents know a data breach had taken place. To address concerns raised by the privacy commissioner regarding delays in providing public notification, the Minister of Health has ordered an internal review into the ministry and health authority decision making processes which resulted in delays in providing public notification in a timely manner.

When asked why it took a report from the privacy commissioner for the government to take action, Merriman said some of the initial reasons he was told was that they didn’t know the depth of the cyberattack at the time.  “This was a very, very sophisticated attack that eHealth had never seen before, he said.  That’s why I’m asking my deputy minister on why there was a delay in the timeline to be able to get that information out to the public because I feel it was very important that the general public knew the depth and the breadth of the breach that happened at eHealth.”  Merriman has ordered Deputy Minister of Health Max Hendricks to address concerns raised in the report including an internal review into the ministry’s and health authority’s decision making processes which resulted in those delays.  He added that he has “absolute faith” in Hendricks to be able to provide him with an unbiased report which he will review and assess upon its completion.

It is being called one of the biggest privacy breaches in the province’s history and Saskatchewan’s privacy commissioner explains in the report that an SHA employee opened up a malicious file in an e-mail from her personal device that was connected to a computer on the Saskatchewan Health Authority network. That file resulted in ransomware going through the network with the attackers making demands on January 5.  Ron Kruzeniski made 25 recommendations in a report which indicates more than 547,000 files containing personal information was exposed.

Kruzeniski makes a number of recommendations in the report including a review of security protocol, that the SHA and the Ministry of Health improve its mass notification systems and that eHealth should look into having security staff in place at all times to investigate and act on any potential threats.

When the government revealed the privacy breach in December it indicated eHealth Saskatchewan was continuing to monitor and scan the internet for any signs that Saskatchewan files have found their way into improper hands.

(With files from CKRM)