December 8, 2022 – St. John’s, NL: Eastern Health is providing an update on the privacy breach as a result of the October 2021 cyber-attack that impacted health-care information technology (IT) systems across the province.
In November 2021, Eastern Health first notified the public of a breach of some personal information and personal health information. As the investigation continued and subsequent updates were provided, Eastern Health advised in March 2022 that further patient health and employee information was taken by an unauthorized party.
At that time, the public was informed that this breach included a network drive containing over 200,000 files and that a review was being undertaken to determine the number of files containing personal health or personal information. The review of the network drive is now complete and indicates that approximately 20,000 of these files require notification for approximately 31,500 affected individuals. The majority of those impacted are patients, while approximately 280 are staff or former staff members.
It was previously communicated that a number of the files on the network drive contain various types of medical information from various time periods dating back to at least 1996, and includes medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided, as well as human resources and administrative information. It has since been determined that social insurance numbers (SIN) for less than 20 patients and banking/financial information for less than five patients was involved in the breach. There is no indication that the information has been misused at this time.
Eastern Health has started to notify affected individuals of this breach. The first letters were mailed this week and will continue to be mailed in a phased approach over the next several weeks into January 2023. Individuals with questions are advised to contact the telephone number provided in their notification letter. Letters include a unique code for each individual; questions about individual situations can be responded to once a letter of notification with a code has been received.
In addition, Eastern Health is advising that the registration deadline to avail of Equifax Canada’s credit monitoring and identity theft protection services for affected individuals has been extended to September 30, 2023. Clients who have received health-care services from Eastern Health at any time are being offered access to credit monitoring and identity theft protection services for a period of two (2) years from the date of enrollment, at no cost to them. Patients whose SIN and banking/financial information was breached are offered five (5) years of credit monitoring and identity theft protection at no cost to them. Current and former employees, physicians and locums of Eastern Health over the past 28 years are also being offered access to credit monitoring services for a period of five (5) years from the date of enrollment. To learn more, please visit Eastern Health’s IT Systems Outage webpage at: www.easternhealth.ca/it-systems-outage/credit-monitoring-identity-theft-protection-services/.
Eastern Health has provided an update on this privacy breach to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC). General questions can be directed to the provincial toll-free information line at 1-833-718-3021. For more information regarding the cyber incident, please visit the Government of Newfoundland and Labrador’s website at https://www.gov.nl.ca/hcs/information-and-updates-on-cyber-incident/.
Eastern Health takes confidentiality and privacy very seriously and deeply regrets that this has happened. We would like to apologize for this incident and provide assurance of our continued commitment to the protection of your privacy. The general public is encouraged to remain vigilant and to take steps to protect their information. If you notice any unusual activity, report it to the relevant authorities. Further information on how to protect your information is available here.
-30-