Who are they protecting?
By Ivan Morgan / June 16, 2023
I suppose it’s how my mind works; when I read the report from the Privacy Commissioner’s office on the 2021 health care cyberattack, I couldn’t stop thinking of mayors and counsellors.
Last month our independent privacy folks (they have much more highfalutin titles for themselves, but I will spare you) issued a report on the cyberattack on our health care system. It found our Centre for Health Information didn’t do what they were paid to do: protect our health information from ransomware hackers.
The report was dutifully reported on and then joined countless other reports on shelves. I am one of the very few who read it (full disclosure, I know the smart, capable person who led the investigation).
The report outlines what the Centre didn’t do to protect our health information from criminals we all know are out there.
Maybe I need a life, but I found the report jaw-dropping. I speak fluent government and there’s lots of reading between the lines. There’s too much to list here, but it’s a sad, sad story. Here are just a few highlights.
From the get-go the report says the Centre was not prepared for a ransomware attack and had not even met “recognized international standards” even though they had been warned they were vulnerable. They were, in short, sitting ducks.
The report notes government went to court to try and stop the privacy crew from investigating this security breach, even though it’s their duty under law.
The report says government dragged its feet in informing us of the nature and seriousness of the attack. While it was suspected all along that we had suffered a ransomware attack (where hackers had encrypted or stolen our health care information and held it hostage until a ransom is paid), government said little or nothing.
The report found the information stolen could have an “adverse impact upon the mental, physical, economic, or social well-being to impacted individuals that includes humiliation, damage to reputation or relationships, financial loss, identity theft, and negative effects on the individual’s credit record . . .”
Odds are, gentle reader, that you are an “impacted individual.”
The report heaps all manner of praise on the work that’s been done since the cyberattack, the barn door well reinforced long after the horses have bolted.
And so much more.
Here’s what is not in the report.
The Centre for Health Information received $94 million of your money last year. They didn’t protect your health information. The ransomware attack cost the province another $16 million, plus a presumably big ransom, if it was paid. We don’t know if it was paid, however, because government won’t tell us, citing “security concerns.” The privacy commissioner dryly reports no evidence has been forwarded from government proving this was a valid reason.
It’s your money they may or may have not paid, and they don’t want you to know. They want you to shut up, mind your own business, keep paying your taxes (and keep voting for them).
We have a right to know how much we had to pay.
Why did I think of municipal people? In my various careers I have witnessed, and helped, volunteer councillors come cap in hand to government looking for money to provide their community with fundamentals such as clean drinking water, reasonable sewerage treatment, or cash to keep the streetlights on. Government poormouths. Yet, as this report shows, they spare no expense to protect their own hides.
I know the Centre does all manner of things, but one of its most important jobs was supposed to be protecting our health information. They didn’t.
It may be in poor taste to mention this here, but a decade ago the auditor general found the Centre’s top staff were paying themselves far more than other government agencies, some receiving 119 per cent pay raises in just four years. There was a fight to fix this.
There does not appear to be any consequences, or accountability with this outfit. Or, it appears, any impetus to do what they were tasked with doing.
Ultimately, it’s government which is at fault. They bill themselves as good managers of our money. This is just the latest example of how that’s not true.
Actions speak louder than words. How concerned were they about the serious damage done to your privacy on their watch? The first thing they did when they were told of the attack was to hire a national crisis management public relations company for advice at $200,0OO.
Who do you think they were trying to protect?
Ivan Morgan can be reached at ivan.morgan@gmail.com