Thousands of health-care workers’ personal information has been compromised in a data breach that’s targeted three websites on servers at the Health Employers Association of BC.
Hackers had access to the HEABC system from May 9 to June 10 and the breach wasn’t detected until July 13, according to the association, after staff “identified a potential anomaly” but did not provide further explanation.
Health minister Adrian Dix described the information as stolen, but claimed ministry services are not impacted, and that “No patient information, and no information in government systems have been compromised.”
Cyber-criminals allegedly attacked the Health Match BC, the BC Care Aide and Community Health Worker Registry, and the Locums for Rural BC sites.
HEABC president and CEO Michael McMillan was unable to say how many workers were impacted, but said there are 240,000 email addresses involved and linked to passport information, drivers licences, birthdays and social insurance numbers.
“I sincerely regret this event happened and I want to reassure everyone we are working with cyber security and privacy experts to address the incident, safeguard against future attacks and notify individuals,” he told journalists at a press conference at HEABC headquarters. “At this time we are not able to conclusively determine which information was involved. Out of an abundance of caution, we are acting as if all the information may have been involved.”
EXACT VULNERABILITY UNCLEAR
MacMillan says no one has asked for a cyber-ransom. He initially refused to answer questions about the nature of the breach and if the hackers had exploited the same vulnerabilities as other government agencies who’ve fallen victim to bad actors targeting the Move-It file transfer protocol, which has impacted Nova Scotia’s government and Metro Vancouver Transit Police, as well as millions of Americans through various government agencies and private companies.
When CTV News pointed out the public had a right to know whether the same tactics that exploited vulnerabilities elsewhere were foreseeable by HEABC, MacMillan then acknowledged that Move-It “was not the vulnerability that was exploited,” but wouldn’t provide further information, citing an ongoing police investigation.
It’s not clear how much personal information is exposed and which groups have it, but the Office of the Information and Privacy Commissioner of BC has also been notified, as well as the Canadian Centre for Cyber Security.
Both Dix and McMillan emphasized they’ve consulted cyber security experts to help manage the situation, while offering staff two years of free credit and cyber-security monitoring through Equifax. Impacted health-care workers will start receiving emails outlining the situation and the offer.
COMMON BUT AVOIDABLE
A Canadian online threat analyst pointed out such attacks are incredibly common, but can be fought.
“Lots of cyber attacks are entirely preventable by adhering to best practices,” said Emsisoft expert, Brett Callow, who urged impacted health-care workers to closely monitor their bank accounts, emails and texts messages for any unusual activity.
As for why health-care workers may have been targeted, Callow points out it’s difficult to speculate about motive.
“This could be kids that are messing around or more likely it is some sort of organized cyber criminals who are looking to monetize the data in some way,” he said. “That could mean using it themselves to commit identify fraud, or selling it off to others.”