January 08, 2021

Government Responds to OIPC eHealth Report

Earlier today, the Office of the Saskatchewan Information and Privacy Commissioner (OIPC) released an Investigation Report examining the eHealth Saskatchewan cyberattack reported on January 10, 2020.  The Government of Saskatchewan finds several of the privacy commissioners findings deeply troubling and is responding with a number of immediate and planned actions to address recommendations.

“Saskatchewan people expect their personal health information to be secure and protected,” Health Minister Paul Merriman said.  “This expectation was failed when eHealth’s systems were breached last December.  The report issued today by Mr. Kruzeniski contains several troubling findings and recommendations regarding the data breach and subsequent events, and details a number of shortcomings on behalf of eHealth, the Saskatchewan Health Authority and the Ministry of Health.  Our government takes these findings and recommendations seriously and will commence work to address them immediately.”

On Tuesday, December 22, eHealth, the Ministry of Health and the Saskatchewan Health Authority (SHA) provided mass notification regarding the extent of the data breach in alignment with the OIPC recommendation to do so.  This included notification through media releases, newspaper notices, website notices and social media alerts.  To address concerns raised by the OIPC regarding delays in providing this public notification, the Minister of Health has ordered an internal review by the Deputy Minister of Health into the ministry and health authority decision making processes which resulted in delays in providing public notification in a timely manner.

The Minister of Health also indicated that action will soon be announced to address the recommendation for an independent review of eHealth’s governance, management and program operations.

The OIPC report contains 25 recommendations directed to eHealth, the Ministry of Health and the SHA.  Due to the technical nature of several recommendations, a response to each individual recommendation will be provided to the OIPC within 30-days.  Quarterly updates will be provided to the OIPC outlining progress on the development and implementation of preventative measures outlined in the report.

“I would like to thank Mr. Kruzeniski for his thorough report and continued work in protecting the personal information of Saskatchewan citizens,” Merriman said.  “While Mr. Kruzeniski rightly notes that the current pandemic is placing demands on the health care system, I agree with his assessment of the importance for officials to begin this work as soon as possible, and have conveyed my expectation that his requested timelines should be met.”