BreachExchange mailing list archives
Health ministry won't offer identity protection to people affected by cyberattack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 9 Apr 2021 09:22:16 -0500
https://thestarphoenix.com/news/saskatchewan/health-ministry-wont-offer-identity-protection-to-people-affected-by-cyberattack Saskatchewan’s Minister of Health says the province will not provide creditor or identity protection for people whose personal information was stolen in a cyberattack on the provincial health system. Saskatchewan’s information and privacy commissioner Ron Kruzeniski said in a report earlier this year that as many as 50 million files may have been breached in the attack on eHealth Saskatchewan and recommended the government provide identity theft protection to anyone whose data appears for sale online, or any concerned person who requests it. Health ministry won't offer identity protection to people affected by cyberattack Health Minister Paul Merriman said that was the only recommendation from the commissioner’s 51-page report the government did not accept. “We thought that was a very challenging thing to do, to be able to offer that up,” he said, adding that information from the hack had not yet appeared on the Internet. “We felt that that recommendation wasn’t needed.” Merriman removed eHealth’s board members from their roles in January after the release of the commissioner’s report, replacing them with two high-ranking bureaucrats he says are now working to ensure the agency is doing its job. The report said eHealth did not have enough IT monitoring or security protections to detect the hack and lacked adequate training for staff. It also cited another report pointing to a fractious work environment that resulted in a “hodge podge of unintegrated security solutions being deployed, in various configurations, being operated in various parts of the organization and any attempts to improve the overall security posture of the organization met with resistance and often futility to the point where staff are frustrated and defeatist.” Kruzeniski said he was disappointed the government did not accept his recommendation about identity protection, even if it’s unclear how many people’s data was actually compromised by the hack. “At this point, we don’t have a designated list of individuals that were impacted. But if that list ever develops or comes to pass, then obviously I think that’s something that should be done,” he said. Kruzeniski said he was pleased by the significant funding boost eHealth received in this year’s budget. The agency will get $15.3 million, an increase of around 13.8 per cent of its existing budget, for services and technologies to keep personal data safe. Kruzeniski said that’s good news, given the sensitivity and importance of information in the database. “I’m very excited about that, because it allows eHealth to begin to do some of the work on the recommendations or other security issues they have,” he said. Kruzeniski’s report gave the government a nine-month timeline to address his recommendations; he said he received his first quarterly report recently. Merriman would not say when more information will be available to the public, but added that the agency’s new board is “drilling down” into problems at the organization. “They’re spending this time, right now, drilling down into the governance, and they’re also drilling down into management to find out where we can make improvements with eHealth so this doesn’t happen again.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Health ministry won't offer identity protection to people affected by cyberattack Destry Winant (Apr 09)