REGINA -- The province cannot rule out a possible breach of personal health information following a malware attack on eHealth. The Office of the Saskatchewan Information and Privacy Commissioner (OIPC) is drafting a report on the incident.
Saskatchewan’s eHealth records were accessed by hackers in early January 2020. The system stores Saskatchewan residents' personal health data, and at the time, the government believed nothing was stolen.
eHealth said on Tuesday that some of its files were sent to suspicious IP addresses. In February eHealth suggested personal files could have been sent to several suspicious IP addresses.
“While the forensic investigation rendered no evidence that personal health information was compromised, the investigation was unable to rule out a breach of personal health information,” the OIPC, eHealth Saskatchewan (eHS), the Saskatchewan Health Authority (SHA) and the Saskatchewan Ministry of Health said in a news release.“The inability to absolutely verify that no privacy breach occurred is leading to public notification of a potential privacy breach involving personal information or personal health information.”
In the release, the organizations say eHealth Saskatchewan was able to eliminate the malware and restore files. However, files had already been shared with the suspicious IP address.
“eHS continues to monitor and scan the internet for any signs that Saskatchewan files have found their way into improper hands. The latest six-week scan was completed in November and to date there continues to be no evidence to show this has happened.”
Since the attack, eHS, SHA and Ministry of Health say they have increased training on the danger of opening suspicious emails.
The OIPC is working on an investigation report on this incident and eHS, SHA and the Ministry of Health are waiting for the recommendations to inform next steps.