‘It’s very stressful’: Clients of Indigenous health authority react to ransomware attack

FNHA in B.C. won’t say how many had personal information compromised

First Nations Health Authority in B.C. says it was targeted by "partially successfull" cyber attack. Photo: FNHA


The First Nations Health Authority (FNHA) in British Columbia says it has concluded its investigation into a ransomware attack in May, but some clients remain concerned about the theft of their medical and personal information.

“I was one of the people whose data was stolen [and I] only found out five months after the fact,” said Lee Wilson of the Haisla Nation in northern B.C.

“I worked hard to build credit and protect my information, but all of that could be wiped away because an organization didn’t do its job.”

Lorinda Campbell of the Gitsxan Nation said her sister found out she now has two provincial health numbers.

“She doesn’t know if it’s related to the breach but it’s very stressful as she continues to deal with her own medical issues,” Campbell said Wednesday.

Interrupted attack

The FNHA, which provides people with status under the Indian Act living in B.C. with a community-driven health benefits plan, said it interrupted the cybersecurity attack on May 13.

But not before the hackers stole sensitive medical and personal information of its clients and employees that was later posted to the dark web.

This includes Indian Status Card numbers, the FNHA said in a statement posted on its website.

“If your status number has been compromised, you may be at risk of identity theft,” the statement said.

“As a protective measure the FNHA is offering to provide eligible individuals with a free two-year subscription (for credit monitoring and identity theft protection).”

Not satisfactory

However, Wilson said this wasn’t satisfactory, particularly for Elders who aren’t familiar with computers.

“There needs to be a more satisfactory solution than the proposed two-year identity theft protection,” he said in an emailed statement to APTN News.

“Our health and status numbers are lifelong numbers we must use, and a temporary protection plan does not adequately address the long-term risks.”

It declined an interview request from APTN and would not say how many First Nations people were affected.

“Thank you for reaching out,” it said in an email Wednesday. “We’d like to direct your attention to our detailed Q&A, which can be found [link to site].

“At this time, we have nothing further to add.”

Uncovered evidence

The FNHA said it “uncovered evidence that health insurance plan billing data, procurement contracts, business contracts, FNHA budgets, cheques, information on dental services to remote First Nations communities, and records and correspondence from the Northern Health Authority had been impacted.”

FNHA employees were notified of the security breach and instructed to change their passwords on May 15, an online statement said.

As well, “corporate credit card information and some or all 2023 T4 statement of remuneration paid forms” was “accessed and copied by the unauthorized third party.”

FNHA said it cancelled the credit cards.

Also, hackers obtained medical test results – specifically tuberculosis screening information, it said.

Did not pay

FNHA noted it did not pay the ransom and reported the breach to the police. It has also established a Cyber Incident Support Centre to answer questions from clients, it said online.

The breach affects current and former employees, First Nations people who live or have lived in B.C., on-reserve patients and their off-reserve family members, and anyone who has filed a complaint or compliment with the FNHA about healthcare services, the organization said online.

The FNHA said it is also providing mental health supports in connection with the invasion of privacy.

Still, Wilson, who used to work for APTN News, said more hands-on help is needed.

“Reading the FNHA release listing those impacted, I have no doubt many First Nation Elders were going to be affected,” he said. “I hope there is a solution that doesn’t require them to navigate online to sign up through an online credit protection site.

“I am confident about technology and the online world, and I was uncertain about sharing some of the information Equifax required to provide the identity fix.”

Campbell echoed Wilson’s points.

“It’s impacted (my sister’s) health at a time when she should be focusing on getting better,” Campbell said in a telephone interview. “She’s worried she could get the wrong medication.”

Contribute Button