Public Notification

PUBLIC NOTIFICATION OF PRIVACY BREACH OF PERSONAL HEALTH INFORMATION

Updated: November 7, 2023

Eastern Health is updating the public of a breach of personal health information that occurred in October 2021. 

Through an investigation into this cyber-attack, it was determined that the incident was a ransomware attack involving Hive ransomware, and that some personal information and personal health information belonging to clients and employees was taken from certain systems.

This includes information used at registration for services such as name, address, health care number (MCP), who you are visiting, and reason for visit, physician name, phone number, date of birth, and email address for notifications, inpatient/outpatient, maiden name and marital status. There is no indication that this information has been misused at this time.

The latest updates regarding the privacy breach are included below.

April 14, 2023: Clients who received health-care services from Eastern Health prior to the October 2021 cyber-attack were affected by the privacy breach. In addition, a sub-set of individuals were affected by the network drive privacy breach (most recently communicated in December, 2022). All individual notification letters related to the network drive privacy breach were mailed by mid-February 2023.

December 8, 2022: Eastern Health advised in March 2022 that further patient health and employee information was taken by an unauthorized party.
At that time, the public was informed that this breach included a network drive containing over 200,000 files and that a review was being undertaken to determine the number of files containing personal health or personal information. The review of the network drive is now complete and indicates that approximately 20,000 of these files require notification for approximately 31,500 affected individuals. The majority of those impacted are patients, while approximately 280 are staff or former staff members.

It was previously communicated that a number of the files on the network drive contain various types of medical information from various time periods dating back to at least 1996, and includes medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided, as well as human resources and administrative information. It has since been determined that social insurance numbers (SIN) for less than 20 patients and banking/financial information for less than five patients was involved in the breach. There is no indication that the information has been misused at this time.

Eastern Health has started to notify affected individuals of this breach. The first letters were mailed this week and will continue to be mailed over the next several weeks. Individuals with questions are advised to contact the telephone number provided in their notification letter. Letters include a unique code for each individual; questions about individual situations can be responded to once a letter of notification with a code has been received.

For further details, please refer to the public service announcement (December 8, 2022): Eastern Health Provides Update on Privacy Breach

March 30, 2022: The investigation has identified that further patient health and employee information was taken by an unauthorized party. Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. A number of these files consist of various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others, as well as human resources and administrative information. There is no indication that the information has been misused.

For further details, please refer to the public service announcement (March 30, 2022): Eastern Health Updates Public on Privacy Breach Resulting from IT Outage

December 14, 2021: It was determined that social insurance numbers (SINs) for some patients were involved in this breach. Approximately 1,970 Eastern Health patients had SINs breached and, because more than half of these patients are now deceased, approximately 900 Eastern Health patients were sent direct notification by mail. Letters were sent to Eastern Health patients whose SIN was breached with an offer of five years of credit monitoring and identify theft protection at no cost to them. Individuals who have questions are encouraged to contact Eastern Health’s Privacy Office via the contact information provided in the notification letter.

For further details, please refer to the public service announcement (December 14, 2021): Eastern Health Provides Update Regarding Breach of Privacy and Information

Eastern Health takes confidentiality and privacy very seriously and sincerely regrets any concern or inconvenience that this incident may cause. We have taken steps to protect the confidentiality and privacy of our clients. For the general public, a provincial call centre can be contacted through the following toll-free number, 1-833-718-3021. For more information, please visit https://www.gov.nl.ca/hcs/information-and-updates-on-cyber-incident/ for steps you can take to protect your information.

Credit monitoring and identity theft protection services were offered to current and prior clients of Eastern Health. The deadline to register for these services was September 30, 2023. Information regarding credit monitoring and identity theft services is available via Eastern Health’s website: https://www.easternhealth.ca/it-systems-outage/credit-monitoring-identity-theft-protection-services/.

Mental health supports for clients are also available and include the Bridge the Gapp website which may be accessed through the following link www.bridgethegapp.ca. Other services are available through the CHANNAL Warm Line [1-855-753-2560] and the Provincial Mental Health Crisis Line [811]. In-person services may also be accessed through Doorways Mental Health Clinics throughout the Eastern Region. Federal Government services may also be accessed through the Wellness Together Canada Portal that can be accessed through the following link https://wellnesstogether.ca/en-CA.

Eastern Health has taken immediate action to prevent further incidents and these efforts will continue. Additionally, the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC), the RCMP, the Canadian Centre for Cyber Security, and other external agencies were immediately notified, and investigations are now complete.

If you are not satisfied with Eastern Health’s response to this privacy incident, you have the right to contact the OIPC. This Office has oversight of two Acts, one of which is the Personal Health Information Act (PHIA); this oversight includes receiving complaints and investigating breaches of personal health information. OIPC NL wishes to advise, however, that the OIPC NL has completed their privacy investigation regarding this incident and has issued a final report. For more information, please see the news release: Office of the Information and Privacy Commissioner – Report P-2023-001/PH-2023-002 Released.

Once again, we deeply regret that this has happened and provide assurance of our continued commitment to quality service and protection of your privacy.

If you have any further questions or concerns, please feel free to contact the Eastern Health privacy representative at privacy@easternhealth.ca.