Cyber threat analyst questions eHealth's response to ransomware attack

A cybersecurity threat analyst said eHealth Saskatchewan was too quick to promise thatpersonal data was secure and not quick enough to disclose thediscovery that it might have been compromised in a ransomware attack.

In early January, CEO Jim Hornell saidconfidential medical information was secure following a cyber infiltration at eHealth.

"They made that claim far too quickly. Absence of evidence isn't evidence of absence," said Brett Callow, a B.C.-based threat analyst for international cyber security firm Emsisoft. "It's really akin to glancing around your burglarized home and saying nothing was taken."

Hornellbacktracked one month later on Feb. 7, 2020, revealing that some data had been sent to suspicious IP addresses in Europe. The public was notified of this oneweek after he found out.

eHealth does not know what the files consist of, although Hornell said they do know thatserver known to have communicated with the IP addresses contained administrative files.

Callow said he'd like to see stronger regulations that would require immediate disclosure to the public, even if the organization can't confirm what was taken.

"Would you rather be told by the organization now that your data may have been compromised or would you rather find out in three weeks when your bank account has been emptied?"

Callow said people have a right to be alarmed by a cyber breach. The privacy implications of attacks like this are concerning because they can lead to personal information posted on the Internetor extortion, he said.

Data theft taken through malware that is used to extort paymentis a new phenomenon that picked up last year, he said, but extortion doesn't always happen immediately after the attack is detected.

Malware can allowattackers to gather information and credentials weeks or months before the actual ransomware is deployed and detected, he said. He said most attacks happen either through email or an improperly secured remote access solution a system that hasn't been "patched" properly.

He said what targeted eHealth had likely been in the system for a period of time, in order to encrypt the data before slipping it past a data loss prevention detection system.

In January, Hornell told CBCthatantivirussoftware had begun to issue alerts on Jan. 5 and then on Jan. 6 employees were asked for bitcoin in exchange for encrypted files.

However, Hornell told CBC News in Februarythe virus had actuallyentered the system in December not January, as he first indicated. CBC asked for an interview with Hornell to clarify when the CEOlearned about the infiltration date, but aspokesperson declined.