Skip to content
Join our Newsletter

B.C.'s health-care system no stranger to cyberattacks that threaten data

An active police investigation is underway and it's unclear what may have been taken from Health Employers Association of B.C. databases.
adrian-dix-bc-gov-flickrprovince
Health Minister Adrian Dix said no patient information was taken and government systems were not compromised in the attack.

The agency that represents B.C.’s health-care employers denies that it was the latest victim of a Russian cybercrime gang.

During a hastily called Tuesday news conference to announce a major privacy breach, Health Employers Association of B.C. (HEABC) CEO Michael McMillan offered few details, citing an active police investigation.

McMillan, however, said the incident is not connected to multiple hacks of the MoveIt file transfer program.

The Nova Scotia government and Metro Vancouver Transit Police are among the many victims.

“I think I can say, without breaching anything important, that is not the vulnerability that was exploited,” McMillan said.

McMillan said the HEABC, which negotiates six major contracts covering 170,000 unionized health-care workers in B.C., discovered the hack during routine maintenance on July 13.

Its systems were accessed between May 9 and June 10 and the hackers may have taken birthdates, social insurance numbers, passport and driver’s licensing information and educational credentials associated with as many as 240,000 unique email addresses from three databases for physicians, care aides and community health workers.

Health Minister Adrian Dix said no patient information was taken and government systems were not compromised.

“We do know that not all of the information in these databases was taken from the server, but at this time, we are unable to conclusively determine which information is potentially taken,” McMillan said. “As a result, we are acting as if all the information was potentially taken.”

McMillan did not name names but said HEABC had contracted private “internationally recognized cybersecurity experts” and is working with cybersecurity experts in government and at health authorities.

He also said that HEABC is contacting all affected individuals and offering credit and identity protection services. Coincidentally, the HEABC announcement came after the previously scheduled release of a cybersecurity audit at Vancouver Island University.

Auditor General Michael Pickup found that the board had no training program about cybersecurity risk, had yet to approve an update of the outdated 2012 risk management policy and, for most of the year, had not reviewed cybersecurity risk mitigation strategies.

HEABC’s board includes the CEOs of B.C.’s six health authorities: Vancouver Coastal, Fraser, Interior, Island, Northern and Provincial Health Services.

B.C.’s health-care system is no stranger to cyberattacks. Diagnostics contractor LifeLabs was hacked by a ransomware gang in October 2019. A joint investigation by the Ontario and B.C. information and privacy commissioners found the company failed to protect personal information of 15 million patients in one of Canada’s biggest cybersecurity incidents.

In May 2020, Vancouver Coastal Health went public after ransomware hackers broke into the Employee and Family Assistance Program system. The pandemic triggered a boom in hacking. A March 2022 cybersecurity briefing for then-Premier John Horgan said the B.C. government faced a near tenfold increase in unauthorized access attempts in 2020 over 2015.

The report, obtained under freedom of information, said the provincial government spends $25 million on information technology security annually.

In 2021, it updated mandatory security training for public servants and implemented advanced security systems to prevent email-based attacks. The presentation for Horgan from the Ministry of Citizens’ Services cited a 2021 IBM report that estimated the total cost per breach had risen by 20 per cent to $6.7 million. The incidents result in losses of data, productivity, service, intellectual property and public funds.

They also harm organizational interconnectedness, lead to lawsuits and threaten public safety. The presentation also quoted a Canalys cybersecurity report that estimated there were more breaches and records lost across industry and government in 2020 than the previous 15 years combined, despite a 10-per-cent growth in cybersecurity spending. 

The Ministry claimed B.C.’s “cybersecurity posture” was stronger than ever and the government is a leader in privacy, security and digital identity. It said it was challenged to keep systems secure while the pandemic forced it to transform to hybrid work and cloud computing. However, even some of the world’s most-secure systems are vulnerable.

Last weekend, the New York Times reported that the U.S. government is worried that hackers connected to China’s People’s Liberation Army slipped malware into U.S. networks that could affect communications, power and water supply at U.S. military bases should China invade Taiwan.

twitter.com/bobmackin