The Office of the Privacy Commissioner has released its report into the 2021 cyber attack on the health care system, calling into question government’s disclosure of information and cybersecurity measures in place at the time of the attack.
Commissioner’s Delegate Sean Murray released the report this morning.
While the report states that by and large the breach response was carried out well, there were some details about it that were not disclosed at the first reasonable opportunity as required by law, and that the security of the health information system at the time of the attack was “lacking in a number of important areas.”
On disclosure, the report calls the time it took to disclose the situation as a ransomware attack “concerning.” As well, public notifications about the privacy breach should have included more detail about the nature of the situation—namely that it was a ransomware attack, and confirmation that those responsible stole personal information for malicious purposes.
As for cybersecurity measures, it states that internationally recognized, industry standards were either not in place or not fully implemented at the time of the attack.
The report also says that while over 100,000 people were directly notified, it is likely that the vast majority of the population had some amount of personal infomation taken.
As well, prior to the attack being detected, they say some threat activities triggered alerts within the health care system. They have found that those alerts were not properly addressed or investigated. Had this been done they say it could have prevented or reduced the extent of the attack that followed.
The report comes with six recommendations, including that the Provincial Health Authority regularly review the status of cybersecurity across the system, and the creation of a Chief Privacy Officer Position.