PUBLIC NOTIFICATION OF A PRIVACY BREACH OF EMPLOYEES’ PERSONAL INFORMATION
Updated: December 8, 2022
Eastern Health is updating its current and former employees, physicians and locums of a recent breach of personal information. While the incident is currently under investigation, we are advising that some personal information was breached in relation to a cyber-attack that occurred in October 2021.
This breach includes information such as name, address, contact information, and social insurance number (SIN) of employees of Eastern Health over approximately the last 28 years. At this time, there is no indication that this information is being misused and no evidence that banking information was involved for current and former employees.
The latest updates regarding the privacy breach are included below.
December 8, 2022: In March 2022, Eastern Health advised that further patient health and employee information was taken by an unauthorized party and that a review of over 200,000 files in a network drive was being undertaken to determine the number of files containing personal health or personal information. This concludes our review into this network drive breach.
There are approximately 280 staff and physicians who are affected by this privacy breach. Some of the employee information that was taken includes human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others.
If your information was breached as an employee as a result of the network drive review, you will be notified by a separate letter in the coming weeks. The letter will outline the process to obtain further information if required.
March 30, 2022: Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. These files contain various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others.
Some of the employee information that was taken include human resources and administrative information such as disciplinary information, workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others.
Eastern Health takes confidentiality and privacy very seriously and sincerely regrets this incident and any concern or inconvenience this may cause. We are taking steps to protect the confidentiality and privacy of our employees and clients. As part of that process, Eastern Health has entered into a contract with Equifax to offer all current employees and affected former employees credit monitoring and identity theft services. If you worked with Eastern Health any time in the last 14 years, you can avail yourself of this free service. Eastern Health is currently in the process of contacting former employees, physicians and locums to offer this recommended service. If you do not receive a letter from Eastern Health in the coming weeks, please call 1-833-718-3021.
Along with the recommended Equifax service, we would also encourage you to remain vigilant regarding your financial information. If you notice any unusual activity in any of your accounts or your account statements, please contact your service providers as soon as possible. Service Canada’s website also offers advice on how to protect yourself against identity theft, which can be found here: https://www.canada.ca/en/revenueagency/services/forms-publications/publications/rc284/protect-yourself-againstidentity-theft.html.
Mental Health supports for former and current employees are available and include the Bridge the Gapp website, which can be accessed through the following link www.bridgethegapp.ca. Other services include the CHANNAL Warm Line [1-855-753- 2560] and the Provincial Mental Health Crisis Line . In-person services may also be accessed through Doorways Mental Health Clinics. Current employees can learn more about the supports available to them by contacting the Employee and Family Assistance Program (EFAP) with Eastern Health.
Immediate actions were taken to reduce the risk of further incidents and these efforts will continue. Eastern Health notification protocols through the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) are underway. The RCMP and other external resources are currently involved, provincially, to fully investigate the incident. We appreciate your patience and understanding as the investigation continues.
If you are not satisfied with Eastern Health’s response to this privacy breach, you have the right to contact the OIPC NL. OIPC NL wishes to advise, however, that the Commissioner has already decided to launch a privacy investigation regarding this incident. Unless you believe there are very specific circumstances particular to your own case that would warrant an individual complaint, it is not necessary to file a complaint. If you have any questions or aren’t sure if you should file an individual complaint, feel free to contact the OIPC NL to discuss further. The OIPC may be contacted through the following address:
Office of the Information and Privacy Commissioner
2 Canada Drive
P.O. Box 13004, Station “A”
St. John’s NL, A1B 3V8
Once again, we deeply regret that this has happened and would like to apologize for this incident and provide assurance of our continued commitment to the protection of your privacy.
If you have any further questions or concerns, please feel free to contact the provincial call centre that was established for this purpose at 1-833-718-3021.