Few answers from NL about cyberattack

ST. JOHN’S – The Newfoundland and Labrador Centre for Health Information (NLCHI) held its annual general meeting earlier this month, in a virtual format, but provided no updates about the major cyberattack that hit the province last fall. Nor did it outline what’s since been done to protect patient data.

The tightly scripted event – held on the Friday afternoon before a long holiday weekend, in contrast to previous years – was a one-way video meeting with no ability to ask live questions. People watching the virtual event were instead directed to submit any inquiries via chat function, to be answered later.

Newfoundland and Labrador Centre for Health Information officials could not say exactly when those responses will come.

CBC News reported that references to the cyberattack mainly related to lauding staff for their response.

“NLCHI did outstanding work to get our healthcare system back on its feet quickly, post an event last fall which brought some technology down,” said Blair White, an assistant deputy minister with the Department of Health.

NLCHI board chair Kris Aubrey-Bassler agreed.

“It has truly been a team effort, a massive team effort going above and beyond, to contain the disruption and restore all function within the health system within an incredibly short timeline given the degree of dysfunction that resulted following the attack,” Aubrey-Bassler said.

The Newfoundland and Labrador government has been mum about most aspects of the cyberattack, which took down many of the health computer systems in the province.

Officials have acknowledged that information was stolen. Lab results were inaccessible, and procedures and treatments were delayed. As of July, Eastern Health had notified 37,800 people that their privacy was breached.

But there are still major question marks about what actually happened.

Government officials have repeatedly declined to disclose details about who was behind the attack, whether it involved ransomware, whether any ransom was paid, and what has since been done to bolster cyberdefences.

They have cited expert advice for that secrecy but have refused to say who those experts are.

According to a CBC News article from June of this year, the Newfoundland and Labrador Centre for Health Information defended the fact that its cybersecurity framework has remained in draft format for nearly three years and is still not finalized.

The framework was drafted in 2019, when all technical support for the province’s four regional health authorities was transitioning into a “shared-service model” under NLCHI.

“Further activities related to establishing the new model were delayed due to managing the provincial COVID-19 response,” NLCHI said in an emailed statement.

The Department of Health and Community Services steered CBC News inquiries to NLCHI, which did not make anyone available for an interview.

The centre instead sent a brief statement via email from a generic communications account with no name attached to it.

“Although the formal cybersecurity framework has not yet been finalized, both NLCHI and the regional health authorities had previous safeguards and security policies in place, and continue to do so,” that statement noted.

The lack of a finalized cybersecurity framework was revealed by a recent report from the province’s information and privacy commissioner, as part of an investigation into a complaint by CBC News.