Haggie said a cyberthreat report raised 'no red flags.' Now it appears he didn't actually read it

Former provincial health minister John Haggie does not appear to have read a 2020 threat assessment that he publicly said last year "highlighted no red flags" about the state of health-care cybersecurity in Newfoundland and Labrador.

Recent court filings by the government have revealed previously redacted details of that report, which warned of "significant IT vulnerabilities."

Newfoundland and Labrador's health-care system suffered a devastating cyberattack by a ransomware groupin the fall of 2021.

This week, CBC News askedHaggie, now the minister of education, how he would now characterize those warnings about "significant" vulnerabilities, in the context of his past "no red flags" comment.

"The issue of 'no red flags' was words that were supplied to me by NLCHI [the Newfoundland and Labrador Centre for Health Information] at the time," Haggie replied.

"They had that report. My recollection of it is that we took that with Health and Community Services at the time, and have gone to Treasury Board over the course of the period subsequently to look for increased investment. My memory is a little hazy now as to exactly what that was, but I do recall making some comments about increased investment in IT and security."

Did he read the document?

"I was presented with a summary at the time and that's where the 'no red flags' came from," Haggie replied. "Part of that was verbal."

So he made those comments about "no red flags" and no issues of concern based on what somebody had summarized for him, not from his primary source reading of this document?

"It was from a summary from NLCHI provided to me," he said.

Haggie noted that, in the health portfolio, "you get a lot of summary documents, and you trust the information that you're given."

Haggie referenced the 2020 cybersecurity threat assessment when speaking with reporters in Mayto rebut a CBC Investigates story.

Israeli cyberexperts who reviewed information security arrangements at Eastern Health confirmed "numerous vulnerabilities, security concerns and compliance issues" that needed to be addressed within its network.

The details were in a business plan prepared for the regional health authority in September 2020 and obtained by CBC/Radio-Canada.

• CBC INVESTIGATES | Long before N.L. cyberattack, report flagged flaws in system

Haggie then health minister minimized the significance of that report's findings, describing it as "a business development proposal."

At the time, Haggie told reporters he independently asked NLCHI for a threat assessment of cyber systems in September 2020 around the same time the Eastern Health report was completed.

• Haggie downplays cyber-risk 'business proposal,' says threat assessment found no red flags

"I received a threat assessment which highlighted no red flags," Haggie said.

CBC News subsequently requested that threat assessment through provincial access-to-information laws.

It was titled "Ransomware: Threat and Mitigation Plans." Portionswere blacked out in the response provided to the CBC.

But last week, the government wiped off some of that black ink in documents it filed at court to stop the privacy commissioner from having any continued role in investigating the 2021 cyberattack.

• N.L. sues to halt privacy commissioner's cyberattack investigation, citing 'bias' concerns

Among the sections of the 2020 threat assessment revealed by the government in court:

• "Significant IT vulnerabilities exist, with new vulnerabilities identified daily such as outdated OS, unpatched systems, software flaws."
• "NLCHI, under the existing mandate, will require significant effort to elevate all eHealth IT environments to an acceptable level of security."

CBC News asked Haggie this week whether he believes his "no red flags" comment is still accurate, given what is now known about those details of that assessment.

"I think the investigation from the privacy commissioner and the reports that [the Department of Justice] and [Justice] Minister Hoganwill get will help clarify that," he replied.

WATCH | John Haggie questioned about past comments on cyber threat assessment:

John Haggie answers cyber 'red flag' questions

2 years ago

Duration 2:12

At the Newfoundland and Labrador legislature this week, reporters asked the former health minister about comments he made last year referencing a ransomware threat assessment

The privacy commissioner has since stepped back from his office's ongoing cyberattack probe, saying he wanted to avoid a lengthy and expensive court proceeding and avoid any further delays in releasing the report.

• Privacy commissioner recuses himself from cyberattack probe, denies 'bias' claim

The commissioner has delegated his authority to conduct and conclude the investigation to other officials in his office.

At this point, there is no date set for the release of the report.

Read more from CBC Newfoundland and Labrador