Notification for current and former employees

PUBLIC NOTIFICATION OF A PRIVACY BREACH OF EMPLOYEES’ PERSONAL INFORMATION

Updated: April 14, 2023

Eastern Health is updating its current and former employees, physicians and locums of a breach of personal information resulting from a cyber-attack in October 2021. While the incident is currently under investigation, we are advising that some personal information was taken in relation to that cyber-attack.

The information taken includes name, address, contact information, and social insurance number (SIN) of employees of Eastern Health over approximately the last 28 years (prior to the October 2021 cyber-attack). At this time, there is no indication that this information is being misused and no evidence that banking information was involved for current and former employees.

The latest updates regarding the privacy breach are included below.

April 14, 2023: All individual notification letters related to the network drive privacy breach (most recently communicated in December, 2022) were mailed by mid-February 2023.

December 8, 2022: In March 2022, Eastern Health advised that further patient health and employee information was taken by an unauthorized party and that a review of over 200,000 files in a network drive was being undertaken to determine the number of files containing personal health or personal information. This concludes our review into this network drive breach.

There are approximately 280 staff and physicians who are affected by this privacy breach. Some of the employee information that was taken includes human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others.

If your information was breached as an employee as a result of the network drive review, you will be notified by a separate letter in the coming weeks. The letter will outline the process to obtain further information if required.

For further details, please refer to the public service announcement (December 8, 2022): Eastern Health Provides Update on Privacy Breach

March 30, 2022: Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. These files contain various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others.
Some of the employee information that was taken include human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others.

For further details, please refer to the public service announcement (March 30, 2022): Eastern Health Updates Public on Privacy Breach Resulting from IT Outage

Information was also provided via the following public service announcement (December 14, 2021): Eastern Health Provides Update Regarding Breach of Privacy and Information

Eastern Health takes confidentiality and privacy very seriously and sincerely regrets this incident and any concern or inconvenience this may cause. We are taking steps to protect the confidentiality and privacy of our employees and clients. As part of that process, Eastern Health has entered into a contract with Equifax to offer all current employees and affected former employees credit monitoring and identity theft protection services. If you worked with Eastern Health any time in the 28-year period prior to the October 2021 cyber-attack, you are offered access to credit monitoring and identity theft protection services for a period of five years from the date of enrollment, at no cost to you. Information regarding credit monitoring and identity theft protection services for current and former employees, physicians and locums is available via Eastern Health’s website: https://www.easternhealth.ca/it-systems-outage/credit-monitoring-identity-theft-protection-services/for-current-and-former-employees-physicians-and-locums/

Along with the recommended Equifax service, we would also encourage you to remain vigilant regarding your financial information. If you notice any unusual activity in any of your accounts or your account statements, please contact your service providers as soon as possible. Service Canada’s website also offers advice on how to protect yourself against identity theft, which can be found here: https://www.canada.ca/en/revenueagency/services/forms-publications/publications/rc284/protect-yourself-againstidentity-theft.html.

Mental Health supports for former and current employees are available and include the Bridge the Gapp website, which can be accessed through the following link www.bridgethegapp.ca. Other services include the CHANNAL Warm Line [1-855-753- 2560] and the Provincial Mental Health Crisis Line [811]. In-person services may also be accessed through Doorways Mental Health Clinics. Current employees can learn more about the supports available to them by contacting the Employee and Family Assistance Program (EFAP) with Eastern Health.

Immediate actions were taken to reduce the risk of further incidents and these efforts will continue. Eastern Health notification protocols through the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) are underway. The RCMP and other external resources are currently involved, provincially, to fully investigate the incident. We appreciate your patience and understanding as the investigation continues.

If you are not satisfied with Eastern Health’s response to this privacy breach, you have the right to contact the OIPC NL. OIPC NL wishes to advise, however, that the Commissioner has already decided to launch a privacy investigation regarding this incident. Unless you believe there are very specific circumstances particular to your own case that would warrant an individual complaint, it is not necessary to file a complaint. If you have any questions or aren’t sure if you should file an individual complaint, feel free to contact the OIPC NL to discuss further. The OIPC may be contacted through the following address:

Office of the Information and Privacy Commissioner
2 Canada Drive
P.O. Box 13004, Station “A”
St. John’s NL, A1B 3V8
Telephone: 709-729-6309
Email: commissioner@oipc.nl.ca

Once again, we deeply regret that this has happened and would like to apologize for this incident and provide assurance of our continued commitment to the protection of your privacy.

If you have any further questions or concerns, please feel free to contact the provincial call centre that was established for this purpose at 1-833-718-3021.