Saskatchewan eHealth has changed their tune: a ransomware attack that eHealth previously said resulted in no compromised info has now been discovered to have leaked files to ‘suspicious IP addresses”.

Whats worse: the files were encrypted and password protected by the hacker(s), preventing the knowledge of what data has leaked.

The attack, which occurred on Sunday January 6, 2020 targeted important systems needed by patients and practitioners, and demanded a bitcoin ransom to release the hold. Originally Sask. eHealth said the attack would result in only slight delays in some services. When the Saskatchewan Cancer Agency reactionary disconnected from eHealth, however, thirty-one cancer patients were forced to delay their treatments.

Ransomware attacks are not new, though they are becoming more insidious. In 2016, the University of Calgary was forced to pay $20,000 CAD when a ransomware attack shut down university services around finals season; university IT staff found that problems with malware existed on their servers after the ransom was resolved.

Two days after the attack network services were shut down at the La Ronge Health Authority. When reached, eHealth Media Relations would not comment if this could signify a source of breach with La Ronge records, specifically.

Two weeks after the attack Saskatchewan’s Information and Privacy Commissioner (Mr. Ronald Kruzeniski) announced he would investigate the breach to ensure that no personal private health information was compromised. Saskatchewan’s Auditor is also reviewing the breach. The provincial auditor’s office has previously published findings on eHealth’s Saskatchewan Lab Results Repository (SLRR): in 2015 the office had five recommendations, and in 2017 a follow-up stated security-related issues still persisted — and that these made the datatbase(s) susceptible to breaches such as this.

In particular the 2017 Auditor’s report mentioned that eHealth had not updated it’s SLRR systems within a reasonable time frame; certain updates that had not been made had been available since 2012.

Why did Saskatchewan eHealth falsely report the result of this breach? Did they know and attempt to obfuscate, or were they simply unaware of the breach at that time? Are there malicious code still lingering on these systems? Regardless, provincial auditors are forensically combing the data and will no doubt release more information as it becomes available, including if the recommended actions from 2015 and ’17 were taken ahead of the leak.