ST. JOHN’S, N.L. — The provincial official leading an investigation into the 2021 cyberattack that toppled much of Newfoundland and Labrador’s health-care system has begrudgingly stepped away from the probe after the province challenged his role in court.
Information and privacy commissioner Michael Harvey said Tuesday that he rejects the province’s accusations of bias in his investigation of the attack. However, a news release said he will recuse himself from the ongoing probe “to avoid a lengthy and expensive court proceeding.”
He said his priority is “to avoid any further delay in the release” of his office’s report.
Harvey announced in November 2021 that his office would dig into the cyberattack. The investigation and report is expected to provide the public an in-depth look at what happened and why.
The attack crashed much of the province’s health-care IT systems on Oct. 30, 2021, forcing thousands of appointment cancellations while some health-care facilities resorted to pen and paper to keep track of patients. For nearly a year and a half, officials kept mum about the nature of the attack and who was behind it, citing security concerns.
Last Tuesday, a day before the province filed its case against Harvey with the provincial Supreme Court, Justice Minister John Hogan announced the Hive ransomware group was to blame. He said he could finally reveal the perpetrator because the group had been dismantled earlier this year by the FBI. The hackers used a virtual private network to break in to the Newfoundland and Labrador Centre For Health Information, which maintains key databases and IT systems, he said.
Hogan would not say if the province paid a ransom or even if one had been demanded, again citing security concerns.
Court documents show Harvey was digging into the province’s decisions to withhold information about the attack. In a long list of questions he sent to the Department of Health and Community Services in January, he asked why the public — particularly those people whose information was stolen — had not been told about the nature of the attack. He said the silence raised accountability questions, and that he had to consider if, for example, those who had their personal information stolen would have signed up sooner for credit monitoring if they knew what kind of attack was involved.
Harvey was also asking the department for answers about the time it took to tell people their data had been stolen. In his questions, he said officials had, or ought to have had, evidence of data thefts beginning Nov. 5, 2021. Officials held a public briefing five days later to say personal information had been “accessed,” but he said they would not confirm to reporters that it had been stolen.
Officials ultimately reported that personal information belonging to more than 58,000 people had been taken by the hackers.
Harvey also asked the department about a 2019 assessment that flagged cybersecurity weaknesses at the centre for health information, as well as a 2020 information note from the centre that “rated the likelihood of a ransomware attack as being high.”
In its lawsuit, the province argued that Harvey held high-ranking positions within the Health Department and Centre for Health Information before he was appointed privacy commissioner in 2019. Since his investigation encompassed decisions made while he held those positions, his involvement created “a reasonable apprehension of bias,” said the statement of claim.
“As a matter of procedural fairness, therefore, the Commissioner should not be permitted to lead the investigation or participate in it in any manner,” the document said.
The Office of the Information and Privacy Commissioner‘s news release Tuesday said Harvey rejected those allegations but that it was in the public’s best interest that the investigation be included and its report be published as quickly as possible.
This report by The Canadian Press was first published March 21, 2023.