$200K public relations aid for N.L. cyberattack didn't result in transparency: expert
Newfoundland and Labrador recruited $200,000 worth of public relations advice to deal with a cyberattack against its health-care networks last fall, and a cybersecurity expert says the contract should have resulted in more transparency.
The contract between National Public Relations and the Newfoundland and Labrador Centre for Health Information was obtained through an access to information request.
It indicates the company, which specializes in crisis communications, offered the province "strategic counsel on internal and external communications regarding cyber incidents," as well as media monitoring and other communications help.
The document was signed Oct. 30, 2021, which is the day government officials have said they first discovered the attack, and it covers the government's "response phase" to the incident. It is among the few indications of what the cyberattack may have cost the province and about who was hired or consulted to help officials handle the government's response.
Cybersecurity strategist Mark Sangster says he recommends any public-facing company or organization get some help with public relations if they're hit with a cyberattack -- but he says they should be advised to be open with the public.
"That's the interesting conundrum here: the fact that this has been going on for a couple of months, at least, and there's been this sort of partial public communications about what's gone up, but we're not really hearing about the heart of it," Sangster said in an interview Thursday.
The Newfoundland and Labrador government has been tight-lipped about the attack discovered Oct. 30, refusing to say what type of cyberattack occurred and why, or whether a ransom was demanded. However, several experts have said the incident has all the markings of a ransomware attack, in which hackers encrypt or steal data to hold it hostage until a ransom is paid.
The hackers managed to wipe out much of the province's health-care IT network, forcing officials to cancel thousands of appointments, including cancer care. Doctors and nurses in some health-care facilities had to resort to paper records until systems came back online.
Officials have announced several data breaches resulting from the attack. On March 30, they revealed the perpetrators stole more than 200,000 files from a network drive, potentially involving the personal data of "thousands" of people.
Health Minister John Haggie has refused to say how much the attack cost the province, though he said on April 7 the free credit monitoring offered through Equifax to people affected by the incident cost the government about $5 million.
The contract shows a purchase order issued from the Newfoundland and Labrador Centre for Health Information -- which maintains the province's key health information databases -- to the public relations firm on Dec. 9, 2021, for $200,004.50.
Charges include $106,000 of consultation fees with "senior counsel" and $30,250 for consulting fees with a managing partner. The contract's scope of work suggests National representatives sat in on emergency operations meetings and worked with "senior levels of government" to plan and respond to the attack.
National did not respond to questions emailed Thursday morning.
By keeping quiet about details, the Newfoundland and Labrador government risks eroding public trust, especially among those whose data was stolen, Sangster said.
"I think there is a trust issue and responsibility because you are a tax-paid organization," said Sangster, who wrote the 2020 book "No Safe Harbor: The Inside Truth About Cybercrime -- and How To Protect Your Business."
"At some point, I think you owe it to the public and those people directly affected to explain what's happened."
Other organizations could also learn from Newfoundland and Labrador's experience, he said, adding, "It's not about blame. This is about improvement."
In a statement emailed Thursday, the Department of Health and Community Services said government cannot provide details about the attack.
"What we can confirm is that we experienced a cyberattack where an unauthorized third party accessed our systems, took some employee personal information and patient personal health information, and encrypted some systems in our health care IT system," wrote spokeswoman Nancy Hollett.
"We have a good understanding of the nature and extent of the incident and have taken the necessary steps to strengthen the security of our systems."
Hollett said investigations into what happened are ongoing, adding that they involve police, the province's privacy commissioner and the Canadian Centre for Cyber Security.
This report by The Canadian Press was first published April 14, 2022.
CTVNews.ca Top Stories
She developed a passion for genealogy while finding her roots. Now she helps others find their own
Lauren Robilliard always knew she was adopted. As the B.C. native grew older, she developed a passion for genealogy, tracing her roots and paving the way for a career to help others find their own.
Papua New Guinea says landslide buried more than 2,000 people
A Papua New Guinea government official has told the United Nations more than 2,000 people were believed to have been buried alive by Friday's landslide and has formally asked for international help.
A cross-country look at beer and wine in convenience stores
By Labour Day weekend, Ontarians of legal drinking age could snag a six-pack at their local convenience store on the way to the cottage. But what are alcohol sales like across the country? Here's what we know.
The dreams of a 60-year-old beauty contestant come to an abrupt end in Argentina
A 60-year-old woman saw her dreams of becoming the oldest Miss Universe contestant in history melt away in a haze of sequins and selfies Saturday at Argentina’s annual beauty pageant.
Are you a loud snorer? You could have sleep apnea
You'll have a lot more energy throughout the day if you get a good night's sleep, but not everyone does due to a medical condition.
Severe thunderstorms set to hit some areas of Canada. Here's where
Depending on where you live, you can expect to get a mixed bag of weather this week, as local forecasts predict heavy rain, strong wind and severe thunderstorms across Canada.
'We were vetted': Sex-ed organization 'disappointed' over Higgs' comments
The head of a Quebec-based sexual and reproductive health organization says she's disappointed New Brunswick Premier Blaine Higgs has deemed presentations she did in the province last week inappropriate.
Richard M. Sherman, who wrote songs for 'Mary Poppins' and 'It's a Small World,' dies at 95
Richard M. Sherman, who helped write the songs for 'Mary Poppins,' 'The Jungle Book' and 'Chitty Chitty Bang Bang' — as well as the most-played tune on Earth, 'It's a Small World (After All)' — died at 95.
Cyclone floods coastal villages, blows away thatched roofs and cuts power in Bangladesh and India
A cyclone flooded coastal villages, blew away thatched roofs and left hundreds of thousands of people without power Monday in southern Bangladesh and eastern India. At least seven deaths were reported.