Notification for current and former employees

PUBLIC NOTIFICATION OF A PRIVACY BREACH OF EMPLOYEES’ PERSONAL INFORMATION

Updated: November 7, 2023

Eastern Health is updating its current and former employees, physicians and locums of a breach of personal information resulting from a cyber-attack in October 2021. Through an investigation into this cyber-attack, it was determined that the incident was a ransomware attack involving Hive ransomware, and that some personal information and personal health information belonging to clients and employees was taken from certain systems.

The information taken includes name, address, contact information, and social insurance number (SIN) of employees of Eastern Health over approximately the last 28 years (prior to the October 2021 cyber-attack). At this time, there is no indication that this information is being misused and no evidence that banking information was involved for current and former employees.

The latest updates regarding the privacy breach are included below.

April 14, 2023: All individual notification letters related to the network drive privacy breach (most recently communicated in December, 2022) were mailed by mid-February 2023.

December 8, 2022: In March 2022, Eastern Health advised that further patient health and employee information was taken by an unauthorized party and that a review of over 200,000 files in a network drive was being undertaken to determine the number of files containing personal health or personal information. This concludes our review into this network drive breach.

There are approximately 280 staff and physicians who are affected by this privacy breach. Some of the employee information that was taken includes human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others.

If your information was breached as an employee as a result of the network drive review, you will be notified by a separate letter in the coming weeks. The letter will outline the process to obtain further information if required.

For further details, please refer to the public service announcement (December 8, 2022): Eastern Health Provides Update on Privacy Breach

March 30, 2022: Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. These files contain various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others.
Some of the employee information that was taken include human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others.

For further details, please refer to the public service announcement (March 30, 2022): Eastern Health Updates Public on Privacy Breach Resulting from IT Outage

Information was also provided via the following public service announcement (December 14, 2021): Eastern Health Provides Update Regarding Breach of Privacy and Information

Eastern Health takes confidentiality and privacy very seriously and sincerely regrets this incident and any concern or inconvenience this may cause. Following the cyber-attack, Eastern Health entered into a contract with Equifax to offer all current employees and affected former employees credit monitoring and identity theft protection services. The deadline to register for these services was September 30, 2023. Information regarding credit monitoring and identity theft protection services for current and former employees, physicians and locums is available via Eastern Health’s website: https://www.easternhealth.ca/it-systems-outage/credit-monitoring-identity-theft-protection-services/for-current-and-former-employees-physicians-and-locums/

We continue to encourage you to remain vigilant regarding your financial information. If you notice any unusual activity in any of your accounts or your account statements, please contact your service providers as soon as possible. Service Canada’s website also offers advice on how to protect yourself against identity theft, which can be found here: https://www.canada.ca/en/revenueagency/services/forms-publications/publications/rc284/protect-yourself-againstidentity-theft.html.

Mental Health supports for former and current employees are available and include the Bridge the Gapp website, which can be accessed through the following link www.bridgethegapp.ca. Other services include the CHANNAL Warm Line [1-855-753- 2560] and the Provincial Mental Health Crisis Line [811]. In-person services may also be accessed through Doorways Mental Health Clinics. Current employees can learn more about the supports available to them by contacting the Employee and Family Assistance Program (EFAP) with Eastern Health.

Immediate actions were taken to reduce the risk of further incidents and these efforts will continue. Additionally, the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC), the RCMP, the Canadian Centre for Cyber Security, and other external agencies were immediately notified, and investigations are now complete.

If you are not satisfied with Eastern Health’s response to this privacy breach, you have the right to contact the OIPC NL. OIPC NL wishes to advise, however, that the OIPC NL has completed their privacy investigation regarding this incident and has issued a final report. For more information, please see the news release: Office of the Information and Privacy Commissioner – Report P-2023-001/PH-2023-002 Released.

Once again, we deeply regret that this has happened and would like to apologize for this incident and provide assurance of our continued commitment to the protection of your privacy.

If you have any further questions or concerns, please feel free to contact the provincial call centre that was established for this purpose at 1-833-718-3021.