Court documents show Mounties were initially pursuing criminal charges against an Alberta legislature member who admitted to hacking a government health website.
Former NDP MLA Thomas Dang was charged in June under the province’s Health Information Act for illegally attempting to access private information contained in the Alberta Health vaccine portal.
He is scheduled to appear in court July 27 and could face a fine up to $200,000 if convicted.
Documents filed with the court, unsealed Wednesday and first obtained by the CBC, say an officer with the cybercrime investigation team believed a criminal offence – unauthorized use of a computer – had been committed.
Other documents, including search warrants and production orders, suggest RCMP were considering that charge, which carries a maximum of 10 years in prison, as late as the end of March.
A spokeswoman for Alberta Justice declined to comment Thursday on the Crown’s decision to pursue a charge under the health act, because the case is before the court.
Mr. Dang, who represents Edmonton-South, resigned from the NDP caucus when he became aware of the RCMP investigation in December, 2021.
Police investigated after Mr. Dang admitted to using his computer to follow up on a tip from a constituent about possible loopholes that were allowing access to people’s private health information on the province’s COVID-19 vaccine website.
He later said that when he ran into roadblocks trying to breach the vaccination site, he used Premier Jason Kenney’s birth date and vaccination dates – both publicly available – which allowed him to crack the site’s privacy safeguards.
A document from the officer, dated March 31, 2022, notes the province launched the vaccine portal to allow people to download their vaccine records in September, 2021.
“Upon the website going live, it was flooded with abnormal traffic,” it says. “Many of these requests came through the TOR network, which is a system designed to provide anonymity to a user, hiding their true IP address by using a relay system.
“During this time there were 1.75 million requests using the birth date of Premier Jason Kenney, and a further approximately 50,000 requests using the date of birth of Thomas Dang.”
The document says at least some of the requests were automated and notes those types of attacks are often referred to as a “brute force attack.”
It says several queries were attempted before an e-mail was sent to the Alberta Health director of communications from the Alberta NDP’s director of communications about a potential vulnerability in the vaccine portal.
“A search warrant was executed on the residence of Thomas Dang and a number of computers were seized,” says the document.
“Dang admitted he tested the system and successfully downloaded someone’s record. He stated it was his obligation as an MLA and a cybersecurity professional to check the site for potential flaws and report them to Alberta Health.”
Mr. Dang, who could not immediately be reached for comment Thursday, has been sitting in the house as an Independent but has said he wants to return to the NDP caucus.
We have a weekly Western Canada newsletter written by our B.C. and Alberta bureau chiefs, providing a comprehensive package of the news you need to know about the region and its place in the issues facing Canada. Sign up today.