London Drugs, the B.C. government and the First Nations Health Authority have all been hit by cyberattacks in the last month, and while three different hacker groups are believed to be responsible, the targeted organizations all share one thing in common: They haven’t been forthright about the sensitive data they’ve lost.
The First Nations Health Authority was the latest to take a stab at downplaying the seriousness of its breach with a statement Wednesday that it “intercepted” the hack May 13, “deployed countermeasures to block the unauthorized entity’s access” and “engaged third-party cybersecurity experts to assist with containment.”
“While the investigation is still at an early stage, FNHA has uncovered evidence that certain employee information and limited personal information of others has been impacted,” it said.
“FNHA has no evidence that this cyber incident has impacted any clinical information systems it uses.”
Phew. What a relief.
Except, that’s not really accurate.
According to the sample data that hacker group INC Ransomware placed online, the stolen data appears to include patient complaints through the FNHA quality control process, third-party health insurance claims that detail both the patient and amount, invoices from medical professionals, contracts with private businesses, cheque requisition forms (including in one example the name of a child seeking travel support reimbursement), security logs, detailed financial reports and more.
That’s a lot more than “limited personal information,” as the FNHA claimed.
It makes the organization look like it’s being dishonest about the seriousness of the attack. And it fails to properly warn all sorts of individuals, First Nations and businesses who could be taking steps to protect themselves in advance had the health authority been more transparent about the scope of who was affected.
“I think they are taking it very seriously,” said Health Minister Adrian Dix, who promised resources to the authority to help respond.
“There isn’t any evidence government or health authority systems are compromised.”
That, at least, is good news. It means the hackers weren’t able to use FNHA as a launching point into the provincial e-health system that contains the detailed medical records of British Columbians.
The lack of forthrightness by the FNHA was mirrored in the private sector by London Drugs, the Richmond-based pharmacy chain that has 79 stores in B.C. and Alberta.
London Drugs was hit earlier this month by ransomware group LockBit, which threatened to release what it stole if the company did not pay $25 million.
London Drugs refused, saying that sensitive customer data was not lost and that “we have no indication to date of any compromise of patient or customer databases; nor do our primary employee-specific databases appear compromised.”
This, too, proved inaccurate.
LockBit went ahead and released the data publicly. It includes what appears to be the company’s human resources department, including medical questionnaires, sexual assault reports, harassment investigations, termination letters, witness statements, sworn statements, legal advice, domestic abuse cases, performance reports, warranty claims, financial invoices, vendor contacts, fiscal year reports, payroll, HR training, employee surveys and more.
Much of this is confidential and highly sensitive. And yet, London Drugs sought to downplay it by telling the public that “primary employee-specific databases” were safe — whatever that means.
London Drugs has offered 24 months free credit monitoring for employees. That will be cold comfort to someone whose deeply personal HR files are now online for the world to see.
Which brings us to the B.C. government, which faced three cybersecurity attacks in the last month by what it says was a state or state-sponsored hacker.
“There is no evidence at this time that sensitive information has been compromised,” the premier has said.
That seems highly unlikely, based on what we’ve seen by London Drugs and the FNHA.
More likely, the government has lost very sensitive data but is sanitizing that fact with carefully constructed wordplay because of risk-averse lawyers, cybersecurity experts and civil servants that say it’s the safest move.
It’s the wrong approach.
The London Drugs and FNHA incidents have highlighted how early, honest disclosure from an affected organization can let people take steps to protect themselves before their data is put online — whether the lawyers and security experts like it or not.
At the end of the day, the government, FNHA and London Drugs are the victims here of illegal activities by nefarious criminals.
But they also have a responsibility to the people whose personal information they promise to protect. Hiding behind sanitized language when the true scope of the breached data is awful to employees, is tantamount to lying to them.
Rob Shaw has spent more than 16 years covering B.C. politics, now reporting for CHEK News and writing for Glacier Media. He is the co-author of the national bestselling book A Matter of Confidence, host of the weekly podcast Political Capital, and a regular guest on CBC Radio.