Information and Updates on Cyber Incident

On Saturday October 30, 2021, a cyber incident impacted critical IT systems supporting healthcare providers in Newfoundland and Labrador. Thanks to the significant efforts of teams from across our healthcare system most services have been restored and the investigation continues into the nature and impact of the incident.

This page provides key information, Frequently Asked Questions (FAQ), and other resources to help explain what happened, what we know so far, and where we are in the recovery process.

Updates and information will be shared on this page as they become available. Please check back regularly for the most recent developments.

Current Incident Update

Latest Update – March 14, 2023

The Honourable John Hogan, KC, Minister of Justice and Public Safety, provided an update today on the 2021 cyber incident that impacted health-related systems. Overview: Cyberattack on the Newfoundland and Labrador Health Care System


Update – March 30, 2022

The ongoing investigation has identified that patient health and employee information on an Eastern Health network drive was also taken during the cyber incident. Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. Eastern Health is undertaking a thorough review to determine the exact number of files containing personal health or personal information. The health information is varied and includes information such as medical diagnosis, medical procedures, medical history, MCP, name, date of birth and address.

There is no evidence that this information has been misused or that banking information was involved.

This information is being thoroughly reviewed and individuals involved with this aspect of the incident will be notified as needed and offered Equifax credit monitoring services.

Additional information is available here. To access Equifax credit monitoring services, please call 1-833-718-3021.


Update – December 20, 2021

Thanks to the significant efforts of teams across our healthcare system, most services have been restored. We want to thank the employees of the Regional Health Authorities (RHAs) and Newfoundland and Labrador Centre for Health Information (NLCHI) who have supported these efforts to date, and who continued to provide critical care and services during this challenging time.

The investigation into the nature and impact of the incident is ongoing. These investigations are complex and require detailed analysis to determine the exact nature of the information involved. It is expected that new details will continue to be identified as the investigation and analysis continue, and we will continue to provide additional updates.

Please see below updates related to the cyberattack:

Social Insurance Numbers (SINs) Breached for a Small Number of Patients

Social insurance numbers for a relatively small group of patients were involved in this breach. A total of 2,514 patients had SINs breached, and because more than half of these patients are deceased, approximately 1,025 patients will receive direct notification from either Eastern Health, Central Health or Labrador-Grenfell Health.

Direct notification letters will be sent from impacted Regional Health Authorities to those patients whose SIN was breached in the coming week with an offer of five (5) years of credit monitoring and identify theft protection at no cost.

RHA Patients with Bloodwork and Specimens Analyzed at Eastern Health Provincial Lab

Patients who had specialized bloodwork and specimens collected at any Regional Health Authority, including Western Health, or private clinics, where the blood or specimens had to be analyzed by Eastern Health in the last 11 years, had their personal health information collected during registration and are involved in this breach. This includes COVID testing that was processed in the provincial lab at Eastern Health.

It is important to note that this does not include any test results, but the personal health information provided at registration.
Any patient who had their personal health information impacted in this breach can enroll for two (2) years of credit monitoring and identify theft protection services from Equifax.

Employee information involved information such as name, address, contact information and Social Insurance Number (SIN). There is no evidence that banking information of employees was involved. The date ranges for RHA employees and former employees have been updated, as follows:

  • Eastern Health for about the last 28 years (+14 years)
  • Labrador-Grenfell Health for about the last 8 years (-1 year)
  • Central Health for about the last 28 years (+15 years)
  • There continues to be no evidence that Western Health employee data was impacted by the breach.

Some of the patient information involved is the information that is typically logged and used when a person comes for an appointment, such as name, address, health care number (MCP), reason for visit, their doctor, phone number, birth date, email address for notifications, in-patient/out-patient status, maiden name and marital status.

The updated information and date ranges of the breach for patients are as follows:

  • Eastern Health for about the last  11 years (-3 years)
  • Labrador-Grenfell Health for about the last 8 years (-1 year)
  • Central Health for about the last 15 years (+2 years)
  • Western Health (only includes patients of RHAs and private clinics for specialized bloodwork and specimens that were sent to Eastern Health for analysis) – 11 years

Credit monitoring and identify theft protection services through Equifax are available for five (5) years free of charge for any employee or patient who had their SINs breached, and for patients with personal health information breached this service is available for two (2) years.

Additional information is available here. To access Equifax credit monitoring services, please call 1-833-718-3021.

Everyone is encouraged to remain vigilant and take steps to protect their information. If you notice any unusual activity in any of your accounts or your account statements, please contact your service providers such as your bank, or report this activity to law enforcement. Further information on how to protect your information is available here.

The investigation is still ongoing and such complex investigations require detailed analysis to determine the exact nature of the information involved. It is expected that new details will continue to be identified as the investigation and analysis continues, and government will continue to provide additional updates, as they become available.


Frequently Asked Questions

As our investigation is ongoing, the information below may change and will be updated as needed.

PRIVACY BREACH

What is the privacy breach?

The public was first notified in November 2021 that some personal information (PI) and personal health information (PHI) was taken during the incident in October 2021 by an unauthorized third party. Appropriate regulatory authorities were also notified, and we continue to work to ensure we meet obligations to report and notify.

Over 200,000 files were taken from a network drive in Eastern Health’s IT environment, a portion of which may contain patient information. Eastern Health is undertaking a thorough review to determine the exact number of files containing personal health or personal information. The health information is varied and includes information such as medical diagnosis, medical procedures, medical history, MCP, name, date of birth and address.

What happened?

As a result of the ongoing investigation into the cyberattack, it has been determined that some personal information (PI) and personal health information (PHI) was taken from our systems.

The appropriate authorities have been contacted, including the Office of the Information and Privacy Commissioner (OIPC) of Newfoundland and Labrador, and the Canadian Centre for Cyber Security. The RCMP have been notified and are continuing to investigate the incident.

Who was impacted by this?

While our investigation is ongoing, we have a good understanding of the nature and extent of the information involved in the cyber incident.

Through the investigation we identified that some personal information (PI) of current and former employees of Eastern Health, Central Health, and Labrador-Grenfell Health was involved, and updated the public last December. It was determined that some personal health information (PHI) of patients of all health authorities Eastern Health, Labrador-Grenfell Health, Central Health, and Western Health was involved.

The date ranges for the breach of information about employees were updated, as follows:

  • Eastern Health for about the last 28 years
  • Labrador-Grenfell Health for about the last 8 years, and
  • Central Health for about the last 28 years.

There continues to be no evidence of data being taken relating to the Newfoundland and Labrador Centre for Health Information (NLCHI) employees or Western Health employees.

The date ranges for the breach of information about patients were updated, as follows:

  • Eastern Health for about the last 11 years
  • Labrador-Grenfell Health for about the last 8 years
  • Central Health for about the last 15 years
  • Western Health (only includes patients of RHAs and private clinics for specialized bloodwork and specimens that were sent to Eastern Health for analysis) for about the last11 years

In addition to the personal information (PI) of current and former employees and patients of Eastern Health, Central Health, Labrador-Grenfell Health, Central Health, and Western Health, it has been determined that that patient health and employee information on an Eastern Health network drive was also taken during the incident.

What information was impacted?

We continue to have no evidence that any personal information (PI) or personal health information (PHI) has been misused in relation to this incident.

For current and former employees, the previous notification included name, address, contact information, and Social Insurance Number (SIN), and employee user IDs. Some human resource information of staff and physicians has also been confirmed to be involved in the breach, including information such as workforce planning, meeting minutes, letters, schedules, timesheets, policies, among others. There is no evidence that banking information of employees was involved.

Social Insurance Numbers (SINs) for a small group of patients were involved in this breach. A total of 2,514 patients had their SINs breached with over half of these patients being deceased. Approximately 1,025 patients will receive direct notification.

For patients, the information involved includes basic information that is typically logged for a patient visit, such as name, address, health care number (MCP), who you are visiting, reason for visit, your doctor, phone number, and birth date, email address for notifications, in patient/out-patient, maiden name, marital status, race, and religion. The most recent information identified may include personal health information such as medical diagnosis, medical procedures, medical history, and MCP.

The information on the Eastern Health network drive also involved in this incident is from various time periods dating back to 1996 in some cases. This information may include includes information such as medical diagnosis, medical procedures, medical history, MCP, name, date of birth and address.

How many people are affected by this breach?

We are still actively investigating and are unable to confirm details at this time.  We continue to notify employees and patients in a timely manner out of an abundance of caution and encourage steps be taken to protect your personal information.

How much information was stolen in this attack?

We are still actively investigating the cyber incident and are unable to provide the full extent of information that was obtained at this time. We can confirm that some personal information of patient and current and former employees was taken from our systems.

What are you doing about this?

Upon learning of the cyber incident, we immediately commenced an investigation and have worked closely with leading cyber security experts to contain the incident and to seek to identify any impacts to personal information.

The appropriate authorities have been contacted, including the OIPC and the Canadian Centre for Cyber Security. The RCMP were notified and are investigating the incident.

We have also taken the step of providing public notification regarding the incident out of an abundance of caution, including information about what steps individuals can take to protect their information and we are making available credit monitoring protection described below.

We are providing creditor protection services through Equifax to monitor the credit of former and current employees which will provide regular reports and access to your credit score.

A provincial call centre has been established for inquiries related to this incident. To activate your credit monitoring service the toll-free number is 1-833-718-3021, and a new web portal to obtain an activation code will be available in the coming weeks.

Anyone who has already registered with Equifax credit monitoring services in relation to the incident does not need to register again.

Additionally, we are committed to continuing to strengthen our systems and help prevent future incidents. The Regional Health Authorities have been working with the Newfoundland and Labrador Centre for Health Information (NLCHI) to put in place additional security measures to help try and prevent future incidents.

What can I do to protect my information?

We encourage individuals to be vigilant regarding their personal information. This can be achieved by monitoring banking and financial information for any unusual activity and using strong passwords that are kept private and changed regularly. We suggest that antivirus software is be kept up to date and we urge you refrain from opening email attachments that look suspicious.

There are other steps you can take to protect your information, or if you suspect you’ve been the victim of identify theft:

  • Call Equifax or TransUnion Canada to get a copy of Credit Report.
  • If you suspect that your social insurance number is being used fraudulently, Service Canada advises filing a complaint with the police.
  • Contact the Canadian Anti-Fraud Centre at 1-888-495-8501.
  • Inform your bank and creditors by phone and in writing about any irregularities.
  • Report any irregularities in your mail delivery to Canada Post, for example, opened envelopes, missing financial statements or documents.
  • Visit a Service Canada office and bring all the necessary documents with you proving fraud or misuse of your SIN.
  • Fraud Alert: You may want to discuss with Equifax and TransUnion Canada whether you should have a fraud alert placed on your credit report by contacting them using the contact information above.
  • Alert the Canada Revenue Agency (CRA): You can report suspected fraud or identify theft with the CRA by calling them at 1-800-959-8281.
  • Additional Information: For additional information about steps you can take to protect your information, please see Digital Government and Service NL’s guidance on “Reducing the Risk of Identity Theft

How can I find out if it directly affects me?

General questions about this incident can be directed to the provincial toll-free information line at 1-833-718-3021.

Steps will be taken to notify relevant individuals whose information was taken from the Eastern Health network server by letter, which includes a contact number to call for further information.

How will I know if my blood or specimens were sent to Eastern Health for processing?

Patients who believe or have concerns that they may have been impacted based on the timeframes and information provided, are able to sign up for the free credit monitoring service. You may call 1-833-718-3021 and request the free 2-year credit monitoring service.

If you are a former or current patient and you have been notified that your SIN has been breached, you may enroll in the credit monitoring service for five years.

Are former employees affected by this breach?

We have identified that some personal information about current and former employees of Eastern Health from about the last 28 years, Labrador Grenfell Health for approximately the last 8 years, and Central Health from about the last 28 years has been taken from our systems.

There continues to be no evidence of information being taken relating to the Newfoundland and Labrador Centre for Health Information (NLCHI), or Western Health employees or former employees.

Current and former employees can enroll for the credit monitoring and identity theft protection services for five years by calling 1-833-718-3021.

What if I want to file a complaint?

The Office of the Information and Privacy Commissioner will conduct an investigation in relation to the incident. Please note that under the Access to Information and Protection of Privacy Act and the Personal Health Information Act you have a right to file a complaint with the commissioner’s office regarding a breach of privacy or if you are not satisfied with the measures taken regarding the breach. The Commissioner may be contacted as follows:

Office of the Information and Privacy Commissioner
2 Canada Drive
P.O. Box 13004, Station “A”
St. John’s NL, A1B 3V8
Telephone: 709-729-6309
Email: commissioner@oipc.nl.ca

Is the issue resolved?

We are working closely with leading experts to continue to investigate the matter and we are taking steps to prevent it from happening again.

RESOURCES

Who can former and current employees and patients contact for further information?

    • Wellness Together Canada is a national website developed during the pandemic to provide mental health and substance use support to Canadians. You can visit www.wellnesstogether.ca or to access counselling 24/7 you can call 1-866-585-0445.
      • A provincial IT Outage website has been set up for information for employees, physicians, partners, and the public.
      • Provincial Call Centre has been set up for former and current patients and employees and can be reached at 1-833-718-3021. This service is available from 8 a.m. to 8 p.m. daily.
      • Provincial Mental Health Crisis Line offers telephone support for people in crisis, available 24/7, and provided by trained mental health clinicians. Call 1-888-737-4668 if you or someone you know is in crisis.
      • CHANNAL Warm Line is a non-emergency, non-crisis telephone support and referral service provided by trained peer support workers who are there and ready to listen. Available 7 days a week, 9:00 a.m. to midnight. Call 1-855-753-2560 for support.
      • Bridge the gapp is Newfoundland and Labrador’s trusted source for mental health and substance use information and connection to local supports and services. Individuals accessing this site can also sign up for online programming, use tools, and share personal stories of recovery with others. For more details visit www.bridgethegapp.ca.
      • Doorways Mental Health Walk-in Clinics provide rapid access to non-emergency mental health and addictions counselling services. Available in 60 locations throughout the province. Most locations offer same-day walk-in services with no appointment or referral required. Doorways is a counselling option, but also a doorway or access point for other ongoing counselling services.
      • MindWell-U 30-Day Mindfulness Challenge offers mindfulness training online, which includes guided activities and a 30-day online mindfulness challenge, available in English and French. The challenge only takes 5 to 10 minutes a day and is accessible by visiting www.bridgethegapp.ca.
      • Therapy Assistance Online (TAO) is an online platform that provides education and skill building for individual’s mental wellness. TAO is available as a self-guided option or clinician-assisted option and covers a variety of topics such as alcohol and substance use, grief and loss, depression, stress, anxiety, and pain management.

      The Federal Government offers a number of services nationally that can be accessed via the Wellness Together Canada Portal.

Who can the public contact if they have further questions?

A provincial call centre number has been established at 1-833-718-3021 for questions about the cyber attack and employee information/patient information.


Steps you can take to further protect your information

To obtain a free copy of your credit report, you can contact the two Canadian credit reporting companies directly. Contact information is:

Equifax Canada

National Consumer Relations
P.O. Box 190, Station Jean-Talon
Montreal, QC H1S 2Z2
www.equifax.ca
(800) 465-7166

TransUnion Canada

Consumer Relations
3115 Harvester Road,
Suite 201 Burlington ON L7N 3N8
www.transunion.ca
(800) 663-9980

As a precautionary measure, we recommend that you remain vigilant, as always, to the possibility of fraud and identity theft by reviewing your financial statements and accounts regularly for any unauthorized activity and taking the steps below if you suspect that fraud or identity theft have occurred.

If you suspect that your Social Insurance Number is being used fraudulently, Service Canada advises taking the following steps:

  1. File a complaint with the police. Ask for the case reference number and the officer’s name and telephone number. If you choose to obtain a copy of the police report, make sure it states your name and SIN.
  2. Contact the Canadian Anti-Fraud Centre at 1-888-495-8501. The national anti-fraud call centre is jointly managed by the Royal Canadian Mounted Police, Ontario Provincial Police and Competition Bureau Canada. They provide advice and assistance about identity theft.
  3. Contact Canada’s two national credit bureaus. Ask for a copy of your credit report. Review it for any suspicious activity. Also check to see if your credit file should be flagged (fees may be applicable). To obtain additional information regarding fees and other requirements, please contact: Equifax: 1-800-465-7166 and TransUnion: 1-800-663-9980.
  4. Inform your bank and creditors by phone and in writing about any irregularities.
  5. Report any irregularities in your mail delivery to Canada Post, for example, opened envelopes, missing financial statements or documents.
  6. Visit a Service Canada office and bring all the necessary documents with you proving fraud or misuse of your SIN. Also bring an original identity document (your birth certificate, or immigration or citizenship document).  Service Canada officials will review your information and provide you with assistance and guidance.

For further information about protecting your Social Insurance Number, please visit Service Canada.

Fraud Alert: You may want to discuss with Equifax and TransUnion whether you should have a fraud alert placed on your credit report by contacting them using the contact information above.

Alert the CRA: You can report suspected fraud or identity theft with the Canada Revenue Agency by calling them at 1-800-959-8281.

Additional Information: For additional information about steps you can take to protect your information, please see Digital Government and Service NL’s guidance on “Reducing the Risk of Identity Theft”


Activate Credit Monitoring

The regional health authorities in Newfoundland and Labrador are offering credit monitoring and identify theft protection services for the increased protection of those who were impacted by the cyber incident in October 2021.

This includes employees and former employees of Eastern Health and Central Health over the past 28 years, and Labrador-Grenfell over the past 8 years, and anyone who receives notice that their patient health or employee information was involved with the incident.

Patients who had their SIN breached are eligible for 5-years of credit monitoring, and those patients who had their personal health information (PHI) breached are eligible for two years of credit monitoring services.

A provincial call centre has been established for inquiries related to this incident. To activate your credit monitoring service the toll-free number is 1-833-718-3021.

For more details on eligibility and activation procedures for credit monitoring, please see the following links from each of the RHAs impacted: