Newfoundland is now admitting that personal and health information of some patients and hospital staff was accessed by those behind the cyberattack on the province’s health care IT systems.
As a result the government is urging people who have been patients in or worked for two health districts to monitor their bank statements for suspicious activity. Suspicious activity may also be detected by credit rating agencies such as Equifax Canada and TransUnion Canada.
Impacted information includes data about current and former employees and patients of the Eastern Health region — which includes the provincial capital of St. John’s — from about the last 14 years, and the Labrador-Grenfell Health region for approximately the last nine years.
UPDATE: On Wednesday the government said some patient data going back 13 years held by the Central Health Authority was also accessed by the attackers. In addition, it believes some data of employees was also accessed, although that had not been confirmed.
Justice Minister John Hogan emphasized that the government is certain the data was “accessed” by attackers. “Access to data does not mean that it was copied, does not mean it was taken,” he said.
For patients, the accessed data includes basic information that is typically logged or used for a patient visit, such as name, address, health care number, who was visited, reason for the visit, your doctor, phone number, birth date, email address for notifications, in-patient/out-patient, mother’s maiden name, and marital status.
For current and former employees, the information includes name, address, contact information, and Social Insurance Number. There is no evidence that banking information of employees was involved, the government says.
Premier Andrew Furey told reporters at a Tuesday afternoon press conference the exact number of people affected is still being investigated. However, Eastern Health CEO David Diamond told reporters that anyone who has been to hospitals in his region in the last 14 years should assume their data has been stolen.
UPDATE: On Wednesday the government still couldn’t say how many people might be affected. “The period involved is lengthy,” Health Minister John Haggie said. “We don’t have detailed numbers. but if you look at the average interaction between the public and the healthcare system — and bear in mind that three out of the four regional health authorities have been affected — our figures show about 400,000 interactions between the public and the healthcare system per year. So the math could be quite large.”
UPDATE: The provincial information and privacy commissioner has launched an investigation into the breach.
Furey said that the government confirmed the data theft late on Monday, November 8th.
“We are currently looking into options for the provision of credit monitoring and identity protection services to monitor credit, with regular reports and access to credit scores which notify users of unexpected changes,” the government said in a statement on its website.
The RCMP as well as the Information and Privacy Commissioner for Newfoundland and Labrador have been notified of the data theft.
Meanwhile IT teams continue to try to restore health care systems. The government said some health records may not be immediately available when service is restored. “Our teams are working to backfill this information,” the government said.
MORE TO COME