Privacy commissioner promises investigation into N.L. cyberattack

Newfoundland and Labrador's information and privacy commissioner says his office will be investigating the cyberattack that has hamstrung the province's health-care IT systems for nearly two weeks.

Michael Harvey's announcementcomes after this week's news that as part of the attack,hackers have stolen the personal information of patients and employees in the Eastern Health and Labrador-Grenfell Health region.

Officials have said the stolen information was unencrypted, meaning there were no safeguards to prevent the hackers from reading it. Harvey said his office's investigation will look at whether the information was held securely and according to industry standards.

"Was it a deficiency on the part of Newfoundland and Labrador in keeping up to industry standards? Or was it a problem that the criminals are just one step ahead of even the industry standards?" said Harvey.

Harvey said his office was informed of a possible data breach on the Monday after the attack, more than a week before the government publicly said information had been stolen. He said his office received official confirmation Tuesday, the same day as the public.

With tens of thousands of employees and hundreds of thousands of patients affected, said Harvey, the breach is far and away the largest inNewfoundland and Labrador history.

The opposition is also calling for answers after Tuesday's announcementof the data theft.

PC Leader David Brazil and NDP Leader Jim Dinnboth told reporters Wednesday at they learned of the data breach on Tuesday but weren't surehow long the government knew about itbefore sharing the news with the public.

"Government needs to be proactive. They need to be out front of it. People need to be reassured," Brazil said. "This is about people's immediate response now and their immediate fears about what's going to happen with their credit ratings and their financial information."

News of the breach was the latest developmentin the 11 days since a cyberattackhalted much of the province's health-care system, including surgeries, tests and other non-emergency procedures.

According to government officials, the information was accessed through the health-care system's Meditech information database.

The breach involves basic patient information, including names, birthdays, addresses, email addresses, phone numbers, medical care plannumbers, marital status, in-patientand outpatient times and the name of the person's family doctor.

Personal information includingnames, addresses and social insurance numbers of Eastern Health employees going back 14 years and Labrador Grenfell-Health employees going back nine years has also been breached, said officials. Health Minister John Haggie said there is no indication banking information was included in the breach.

"We've got tens of thousands of health-care workers whose information has been compromised by this breach, they need to feel secure," Brazil said.

PCs call for debate, NDPs wantanswers

Premier Andrew Furey said a public notification process is underway to outline what steps people should take to protect themselves from identity theft and monitor their financial information. The process includes online resources and a toll-free phone number.

Dinn saidthe government needs to outlineits cybersecurity measures and explain how the breach occurred.

"That will be the only way we can put it in the measures needed to hopefully prevent such future attacks," he said.

He suggested budget cutsled to deterioration of cybersecurity measures guarding Newfoundland and Labrador's health-care system.

"We know that these attacks happened throughout the world. Were we totally prepared?"

Read more from CBC Newfoundland and Labrador