Officials confirm patient data stolen in N.L. cyberattack

Officials have confirmed that patient data has been stolen in the cyberattack on the Newfoundland and Labrador health-care system, after previously saying it had merely been accessed. (Darrell Roberts/CBC - image credit)
Officials have confirmed that patient data has been stolen in the cyberattack on the Newfoundland and Labrador health-care system, after previously saying it had merely been accessed. (Darrell Roberts/CBC - image credit)
Darrell Roberts/CBC
Darrell Roberts/CBC

Officials have confirmed that personal information of medical patients in Newfoundland and Labrador has been stolen in the cyberattack that has wreaked havoc on the provincial health-care system for over two weeks.

While speaking with reporters on Monday, Justice Minister John Hogan said it was his understanding that both patient and employee data have been taken in the attack.

The news follows Friday's update, where he said that employee data had been taken, but said the investigation had not yet determined if patient data had also been stolen. A spokesperson clarified that the situation changed following the Friday update, and the investigation was able to confirm that patient data had been stolen.

The stolen patient information includes names, addresses, Medical Care Plan (MCP) numbers, who the patient was visiting, the reason for the visit, name of doctor, phone numbers, birthdays, email addresses, in- and out-patient status, maiden name and marital status.

Hogan said the regional health authorities are responsible for the data, but that government has a responsibility to keep the public up to date on the evolving situation.

"We have a responsibility as well, as the government, to advise the public about any safety concerns," Hogan said.

Hogan said the government can not yet inform individuals if their data has been taken because it is part of the ongoing investigation.

Officials first said that patient and employee data had been stolen on Tuesday, before backtracking on Wednesday, saying the data had been "accessed," but the investigation could not confirm if data had been taken.

Hogan said there is no current evidence that the stolen data has been misused, but didn't rule out the possibility either.

Health Minister John Haggie said there is a "significant possibility" that data has been stolen from three regional health authorities: Eastern Health, Central Health and Labrador-Grenfell Health. Officials said last week that Western Health data has not been accessed.

Employee data from within the three affected health authorities may have also been taken during the breach, officials said last week.

That data includes names, addresses, contact information and social insurance numbers. Last week, Haggie said there is no evidence that banking information was stolen.

While Eastern Health confirmed on Friday that patient data had been stolen, Central Health and Labrador-Grenfell Health have not yet said the same. CBC News has asked for comment.

Government unsure when it can reveal cyberattack details

Although officials have now confirmed that both employee and patient data have been stolen, they would not reveal other details about the investigation, or even say if the stolen data was encrypted.

"We're following the recommendations of our experts as to what to say and what not to say," said Haggie.

During question period in the House of Assembly on Monday, both Opposition Leader David Brazil and NDP Leader Jim Dinn both called for more transparency in the investigation, asking the government to commit to an inquiry into the cyberattack.

Government declined to commit to an inquiry, citing the current investigation in progress.

"We need to be very careful about what tool we're selecting, and the appropriate instrument needs to be employed," Premier Andrew Furey told reporters after the session.

Brazil said he understands that certain sensitive information can't be shared yet, but he wants the government to commit to an eventual inquiry in order to find out what went wrong.

"We need to ensure this never happens again," he said.

Mark Quinn/CBC
Mark Quinn/CBC

The RCMP and Information and Privacy Commissioner Michael Harvey have already announced their own respective investigations into the cyberattack, but Brazil said an inquiry would allow for more public accountability.

"A public inquiry gives the ability then to bring in witnesses, the experts, those who are directly affected by this. All the key stakeholders that have been involved in the process here," he said.

Dinn questioned if government hesitated to commit to an inquiry because they have something to hide.

"There are some serious questions that need to be asked as to what led up to it," he said. "How do we make sure that it becomes more difficult for it to happen again?"

Furey said the government doesn't know when it will be able to share more about the attack.

"The reality is that we don't know exactly when we'll be able to disclose everything that everybody wants to hear," he said.

Read more from CBC Newfoundland and Labrador