March 30, 2022 – St. John’s, NL: Eastern Health advises the public that the ongoing investigation has revealed that additional information was taken during the cyber-attack that impacted health-care information technology (IT) systems across the province in October 2021.
The public was first notified in November 2021, that some personal information and personal health information was taken during the cyber-attack by an unauthorized third party. Eastern Health has been working since that time in collaboration with the Newfoundland and Labrador Centre of Health Information (NLCHI) and the Department of Health and Community Services to determine if additional information may have been accessed or taken.
The investigation has identified that further patient health and employee information was taken by an unauthorized party. Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. A number of these files contain various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others, as well as human resources and administrative information. There is no indication that the information has been misused or that banking information was involved.
Further review of these files is ongoing and will determine the precise nature of the information included in this breach. As this information is confirmed, letters will be sent by mail to affected individuals advising them of the details of the breach. Individuals who have questions are encouraged to contact Eastern Health’s Privacy Office via the contact information provided in the notification letter.
Eastern Health also reminds the public that it has entered into a contract with Equifax Canada to provide credit monitoring services for affected individuals. The registration deadline to sign up for credit monitoring services is being extended to December 31, 2022 and a new Equifax web portal for clients is being developed and will be accessible via Eastern Health’s website in the coming weeks.
Clients who have received health-care services from Eastern Health at any time are being offered access to credit monitoring and identity theft protection services for a period of two (2) years from the date of enrollment, at no cost to them. Current and former employees, physicians and locums of Eastern Health over the past 28 years are also being offered access to credit monitoring services for a period of five (5) years from the date of enrollment. To learn more, please visit Eastern Health’s IT Systems Outage webpage at: www.easternhealth.ca/it-systems-outage/credit-monitoring-identity-theft-protection-services/.
Eastern Health has informed the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) of this privacy breach. General questions about this privacy breach can be directed to the provincial toll-free information line at 1-833-718-3021. Questions about individual situations can only be responded to once an individual has received a letter of notification. For more information, please visit the Government of Newfoundland and Labrador’s website at https://www.gov.nl.ca/hcs/information-and-updates-on-cyber-incident/.
Everyone is encouraged to remain vigilant and to take steps to protect their information. If you notice any unusual activity, report it to the relevant authorities. Further information on how to protect your information is available here.
Eastern Health takes confidentiality and privacy very seriously and is continuing to implement further measures around IT security for the protection of all. We will continue ongoing work into the future and individually notify individuals if we learn that additional information has been compromised as a result of this cyber-attack.
– 30 –