The 2021 ransomware attack that temporarily crippled the Newfoundland and Labrador healthcare system started with an attacker getting into the VPN of a provincial healthcare information managed environment using the compromised credentials of a legitimate user, says a government report.
It’s the first time the province has acknowledged the attack was ransomware.
Released Tuesday, the report identifies the Hive ransomware group as the ones behind the attack.
The only reason the province can now reveal that, and other details, is the Hive group was itself crippled in January when its infrastructure was seized by the FBI.
While the report says the earliest evidence of compromise of the healthcare system was the October 15, 2021 entry through the VPN, investigators can’t say how the attacker got hold of the credentials. Data was exfiltrated between Oct. 26 and the 29th. The ransomware itself was launched on Oct. 30th.
“There is no evidence to indicate that the attack was intended to specifically target NLCHI (Newfoundland and Labrador Centre for Healthcare Information) or the Newfoundland and Labrador provincial health care system,” says the report. “However, the attacker, Hive
ransomware group, was known for its aggressive and sophisticated capabilities and its targeting of the health sector.”
After gaining access, the hacker moved laterally through the healthcare IT network, gained administrative privileges through a privileged user account, and connected to other systems and eventually to the system of the Eastern Health region.
Personal information from three of the province’s four health regions was stolen (see below.) The biggest amount came from Eastern Health, which includes the capital St. John’s. Eastern Health said a drive with 200,000 files was compromised. Later, after a more thorough investigation, it said approximately 20,000 of those files had personal information of 31,500 people — mostly patients, but also 280 staff or former staff members.
The report outlines a timeline of the attack and the province’s response, but not how the attacker was able to move laterally without detection and get administrative privileges without detection.
It does say that after the attack was discovered, an endpoint detection and response (EDR) system was deployed throughout the NLCHI-managed environment, as well as mandatory multifactor authentication (MFA) for authentication to remote connections to NLCHI-managed domains where MFA was not already implemented. The NLCHI-managed system is now monitored around the clock by an outside provider, the report adds.
The province also created a program called Breakwater to better protect provincial healthcare information. That includes implementing a centralized gateway and firewall to further enhance cybersecurity detection and control capabilities, moving towards a provincial security information and event management (SIEM) system and new mandatory cybersecurity training program to healthcare system staff.
A new provincial health authority will come into effect April 1st which will, among other things, consolidate the ongoing security efforts of NLCHI and the regional health authorities.
Data copied in the 2021 attack included
• Social Insurance Numbers of 2,514 patients from Eastern Health, Central
Health or Labrador-Grenfell Health;
• patient registration information for patients whose bloodwork or specimens was analyzed by Eastern Health from 2010 to 2021, such as name, address, health care number (MCP), reason for visit, their doctor, phone number, birth date, email address for notifications, in-patient/out-patient status, maiden name, and marital status. This would include patient registration information from private clinics and other Regional Health Authorities, including Western Health.
• employee information of current and former employees of Eastern Health (approximately 1993-2021), Central Health (approximately 1993-2021) and Labrador Grenfell Health (approximately 2013-2021), including names, addresses, contact information, and Social Insurance Numbers.
• other employee information of Eastern Health employees, including disciplinary information and other human resources and administrative information.
• patient information of current and former patients of Eastern Health (approximately 2010- 2021), Central Health (approximately 2006-2021), and Labrador Grenfell Health (approximately 2013-2021), such as name, address, health care number (MCP), reason for visit, their doctor, phone number, birth date, email address for notifications, in-patient/out-patient status, maiden name, and marital status.
• Other medical information of current and former patients of Eastern Health (approximately 1996-2021), such as medical diagnosis, procedure type, health care number (MCP), Social Insurance Numbers and banking/financial information for some patients, and ordering health care provider for some health care services provided in certain Eastern Health departments and programs (e.g., Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology).