PUBLIC NOTIFICATION OF PRIVACY BREACH OF PERSONAL HEALTH INFORMATION
Updated: December 8, 2022
Eastern Health is updating the public of a breach of personal health information that occurred in October 2021. While the incident is currently under investigation, we are advising that some personal health information about clients of Eastern Health was taken in the incident.
At this time, we can confirm that some personal health information of clients who received services from Eastern Health is involved. This includes information used at registration for services such as name, address, health care number (MCP), who you are visiting, and reason for visit, physician name, phone number, date of birth, and email address for notifications, inpatient/outpatient, maiden name and marital status. There is no indication that this information has been misused at this time.
The latest updates regarding the privacy breach are included below.
December 8, 2022: Eastern Health advised in March 2022 that further patient health and employee information was taken by an unauthorized party.
At that time, the public was informed that this breach included a network drive containing over 200,000 files and that a review was being undertaken to determine the number of files containing personal health or personal information. The review of the network drive is now complete and indicates that approximately 20,000 of these files require notification for approximately 31,500 affected individuals. The majority of those impacted are patients, while approximately 280 are staff or former staff members.
It was previously communicated that a number of the files on the network drive contain various types of medical information from various time periods dating back to at least 1996, and includes medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided, as well as human resources and administrative information. It has since been determined that social insurance numbers (SIN) for less than 20 patients and banking/financial information for less than five patients was involved in the breach. There is no indication that the information has been misused at this time.
Eastern Health has started to notify affected individuals of this breach. The first letters were mailed this week and will continue to be mailed over the next several weeks. Individuals with questions are advised to contact the telephone number provided in their notification letter. Letters include a unique code for each individual; questions about individual situations can be responded to once a letter of notification with a code has been received.
March 30, 2022: The investigation has identified that further patient health and employee information was taken by an unauthorized party. Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. A number of these files consist of various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others, as well as human resources and administrative information. There is no indication that the information has been misused,
December 14, 2021: It was determined that social insurance numbers (SINs) for some patients were involved in this breach. Approximately 1,970 Eastern Health patients had SINs breached and, because more than half of these patients are now deceased, approximately 900 Eastern Health patients were sent direct notification by mail. Letters were sent to Eastern Health patients whose SIN was breached with an offer of five years of credit monitoring and identify theft protection at no cost to them. Individuals who have questions are encouraged to contact Eastern Health’s Privacy Office via the contact information provided in the notification letter.
Eastern Health takes confidentiality and privacy very seriously and sincerely regrets any concern or inconvenience that this incident may cause. We have taken steps to protect the confidentiality and privacy of our clients. For the general public, a provincial call centre can be contacted through the following toll-free number, 1-833-718-3021. For more information, please visit https://www.gov.nl.ca/hcs/information-and-updates-on-cyber-incident/ for steps you can take to protect your information.
Credit monitoring services are available for current and prior clients of Eastern Health. If you have received services from Eastern Health at any time, we recommend you avail yourself of this service to ensure the protection of your information. We will provide further information as soon as the details are available.
Mental health supports for clients are also available and include the Bridge the Gapp website which may be accessed through the following link www.bridgethegapp.ca. Other services are available through the CHANNAL Warm Line [1-855-753-2560] and the Provincial Mental Health Crisis Line . In-person services may also be accessed through Doorways Mental Health Clinics throughout the Eastern Region. Federal Government services may also be accessed through the Wellness Together Canada Portal that can be accessed through the following link https://wellnesstogether.ca/en-CA.
Eastern Health has taken immediate action to prevent further incidents and these efforts will continue. Eastern Health has informed the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) of this breach. The RCMP and other external resources are currently involved, provincially, to fully investigate the incident. We appreciate your patience and understanding as the investigation continues.
If you are not satisfied with Eastern Health’s response to this privacy incident, you have the right to contact the OIPC. This Office has oversight of two Acts, one of which is the Personal Health Information Act (PHIA); this oversight includes receiving complaints and investigating breaches of personal health information. OIPC NL wishes to advise, however, that the Commissioner has already decided to launch a privacy investigation. Unless you believe there are very specific circumstances particular to your own case that would warrant an individual complaint, it won’t be necessary for individuals to file a complaint. If you have any questions or aren’t sure if you should file an individual complaint, feel free to contact the OIPC to discuss further. The Office may be contacted through the following address:
Office of the Information and Privacy Commissioner
2 Canada Drive
P.O. Box 13004, Station “A”
St. John’s NL, A1B 3V8
Once again, we deeply regret that this has happened and provide assurance of our continued commitment to quality service and protection of your privacy.
If you have any further questions or concerns, please feel free to contact the Eastern Health privacy representative at firstname.lastname@example.org.