PUBLIC NOTIFICATION OF PRIVACY BREACH OF PERSONAL HEALTH INFORMATION
Updated: March 30, 2022
Eastern Health is advising the public of a breach of personal health information that occurred in October 2021. While the incident is currently under investigation, we are advising that some personal health information about clients of Eastern Health was taken in the incident.
At this time, we can confirm that some personal health information of clients who received services from Eastern Health over approximately the last 11 years is involved. This includes information used at registration for services such as name, address, health care number (MCP), who you are visiting, and reason for visit, physician name, phone number, date of birth, and email address for notifications, inpatient/outpatient, maiden name and marital status. There is no indication that this information has been misused at this time.
December 14, 2021: It was determined that social insurance numbers for some patients were involved in this breach. Approximately 1,970 Eastern Health patients had SINs breached and, because more than half of these patients are now deceased, approximately 900 Eastern Health patients were sent direct notification by mail. Letters were sent to Eastern Health patients whose SIN was breached with an offer of five years of credit monitoring and identify theft protection at no cost to them. Individuals who have questions are encouraged to contact Eastern Health’s Privacy Office via the contact information provided in the notification letter.
March 30, 2022: The investigation has identified that further patient health and employee information was taken by an unauthorized party. Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. We are currently undertaking a manual review to determine the exact number of files containing personal health or personal information. A number of these files consist of various types of medical information from various time periods dating back to at least 1996, and may include medical diagnosis, procedure type, MCP number and ordering health-care provider for some health-care services provided in Laboratory Medicine, Medicine, Surgery, Cancer Care and Cardiology programs, among others, as well as human resources and administrative information. There is no indication that the information has been misused or that banking information was involved.
Eastern Health takes confidentiality and privacy very seriously and sincerely regrets any concern or inconvenience that this incident may cause. We have taken steps to protect the confidentiality and privacy of our clients. For the general public, a provincial call centre can be contacted through the following toll-free number, 1-833-718-3021. For more information, please visit https://www.gov.nl.ca/hcs/information-and-updates-on-cyber-incident/ for steps you can take to protect your information.
Credit monitoring services are available for current and prior clients of Eastern Health. If you have received services from Eastern Health in the time period indicated, we recommend you avail yourself of this service to ensure the protection of your information. We will provide further information as soon as the details are available.
Mental health supports for clients are also available and include the Bridge the Gapp website which may be accessed through the following link www.bridgethegapp.ca. Other services are available through the CHANNAL Warm Line [1-855-753-2560] and the Provincial Mental Health Crisis Line [1-888-737-4668]. In-person services may also be accessed through Doorways Mental Health Clinics throughout the Eastern Region. Federal Government services may also be accessed through the Wellness Together Canada Portal that can be accessed through the following link https://wellnesstogether.ca/en-CA.
Eastern Health has taken immediate action to prevent further incidents and these efforts will continue. Eastern Health has informed the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) of this breach. The RCMP and other external resources are currently involved, provincially, to fully investigate the incident. We appreciate your patience and understanding as the investigation continues.
If you are not satisfied with Eastern Health’s response to this privacy incident, you have the right to contact the OIPC. This Office has oversight of two Acts, one of which is the Personal Health Information Act (PHIA); this oversight includes receiving complaints and investigating breaches of personal health information. OIPC NL wishes to advise, however, that the Commissioner has already decided to launch a privacy investigation. Unless you believe there are very specific circumstances particular to your own case that would warrant an individual complaint, it won’t be necessary for individuals to file a complaint. If you have any questions or aren’t sure if you should file an individual complaint, feel free to contact the OIPC to discuss further. The Office may be contacted through the following address:
Office of the Information and Privacy Commissioner
2 Canada Drive
P.O. Box 13004, Station “A”
St. John’s NL, A1B 3V8
Once again, we deeply regret that this has happened and provide assurance of our continued commitment to quality service and protection of your privacy.
If you have any further questions or concerns, please feel free to contact the Eastern Health privacy representative at firstname.lastname@example.org.