eHealth discovers Sask. files sent to suspicious IP addresses in Europe

There's a chance that personal health data belonging to Saskatchewan residents could have been compromised in a ransomware attack.

Files from some of its servershave been sent tosuspicious IP addresses, according to eHealth CEO Jim Hornell.

"There were several that were unknown to us and were recognized to be suspicious in various countries in Europe," said Hornell, adding at least four IP addresseswere involved.

This discovery came in the wake of forensic analysis spurred by a recent ransomware attack. The chance that data might be compromisedwas announced on Friday, although the initial discovery happened one week prior on Jan. 31, 2020.

This is the latest development in the ransomware saga. Initially, CBC News was told the attack began Jan. 5, 2020. However, Hornell revealed that the virus first entered the eHealth system on Dec. 20, 2019. Employees didn't discover there was a problem until theytried to open files on Jan. 6, 2020 and were asked for bitcoin in exchange for unlocking the files.

In January, Hornell said personal data was securedespite the ransomware hit. Now, it appears the organization can't be sure and "may never know" if personal data was affected.

Thefiles exchanged were encrypted and password protected by the attacker, which means theexact content of those files is unknown.

Hornell said the affected server primarily contained administrative files, like emails. However, he said it's not clear if the affected server was in communication with other servers.

"There's no indication that it was personal health informationbut we want tobe ... as confident as possible," he said.

Officials with the Ministry of Health and Saskatchewan's Information and Privacy Commissioner have been notified. The organization said it will continue a security analysis to determine if further breaches have occurred.

It has also brought on the help of a specialized security firm that is"tasked with scouring the Internet for any signs that confidential information has been compromised."

Hornell wouldn't say the cost of the third-party assistance, saying costs are still being compiled and some is covered by insurance.

NDP Heatlh Critic Vicki Mowat issued a statement thatreiterated the call for a government-wide security review of government sites and databases.

"People should be able to trust that their health records are secure that's eHealth's most important responsibility, and today's admission shows that this government has failed to provide that security," the statement said.

"The news that the recent data breach led to public health files being taken is cause for great concern. Even more concerning is that eHealth doesn't know what those files contained or how much of Saskatchewan people's health data has been compromised."

On Friday, Hornell said he wasn'tsurprised the health organization was hit.

"Weknew that that was definitely an eventuality and that's why we are investing in updating our patches," he said.

Hornell said the public will be notified if the forensic investigation leads to more revelations. In the meantime, he saidemployees are receiving ongoing education about proper Internet etiquettein the wake of the attack, like not opening suspicious links or emails.