Through the course of the ongoing investigation and review, it has been determined that some personal health information of our clients, and personal information of our current and former employees, physicians and locums was taken during the October 2021 cyber-attack that impacted health-care information technology (IT) systems across the province.
At this time, there is no indication the information taken has been misused or disclosed and no evidence that banking information was involved.
For current and former clients:
While the incident is currently under investigation, we can confirm that some personal health information of our clients was taken in the incident. This involves some personal health information of those who received services from Eastern Health at any time, and includes information used at registration for services such as: name, address, medical care plan (MCP), who a client is visiting, and reason for visit, physician name, phone number, date of birth, and email address for notifications, inpatient/outpatient, maiden name and marital status.
The investigation has identified that further patient health and employee information was taken by an unauthorized party. Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. A number of these files consist of various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others, as well as human resources and administrative information.
In addition, it has been determined that social insurance numbers for some patients were involved in this breach. Approximately 1,970 Eastern Health patients had SINs breached and, because more than half of these patients are now deceased, approximately 900 Eastern Health patients were sent direct notification by mail. Letters were sent to Eastern Health patients whose SIN was breached with an offer of five years of credit monitoring and identify theft protection at no cost to them. Please read the following public notification of privacy breach of personal health information.
For current and former employees, physicians and locums:
Some of the personal information of current and former employees, physicians and locums was taken during the same cyber incident. This includes information such as: name, address, contact information, and social insurance number of employees of Eastern Health over approximately the last 28 years. The investigation has identified that further patient health and employee information was taken by an unauthorized party. Some of the employee information that was taken include human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others. Please read the following privacy breach of current and former employee’s personal information.
Credit monitoring and identity theft protection service
Health and safety remain our top priority. We deeply regret that this incident occurred, and we have taken immediate action to reduce the risk of further incidents and these efforts will persist. We would like to provide assurance of our continued commitment to the protection of the privacy of our current and former employees and clients.
Affected clients, as well as current and former employees, physicians and locums, are being offered access to credit monitoring and identity theft protection services through Equifax Canada, at no cost to them. Please follow the most appropriate link below to learn more about the service that is available to you.
A process is being identified for affected individuals who require extra support to access the Equifax service.
Equifax Canada has created a web portal for individuals to enroll in these credit monitoring and identity theft protection services and receive an activation code by email before the December 31, 2022 deadline. Please click the link below to access this web portal.
Please note that this service is only available to residents of Newfoundland and Labrador. If individuals are not residents of Newfoundland and Labrador and have been affected, they are advised to call the provincial toll-free information line at 1-833-718-3021. As well, individuals who are residents of Newfoundland and Labrador may also call the provincial toll-free information line at 1-833-718-3021 to obtain an activation code if they are unable to access the Equifax Canada website.
Please note that by clicking this link, you will be redirected to an Equifax website.
As always, individuals are encouraged to remain vigilant regarding their financial information. If you notice any unusual activity in any of your accounts or your account statements, please contact your service providers as soon as possible.