Number of people hit by privacy breach in 2021 cyberattack now up to 58,000: Eastern Health
Regional health authority previously said it had notified 37,800 people impacted by privacy breach
Eastern Health says it's notifying about 31,500 patients and employees whose personal or health information was taken from a network file drive during the 2021 cyberattack on Newfoundland and Labrador's health-care system.
About 280 of the people impacted are employees or former employees of the regional health authority, while the rest are patients.
According to Eastern Health, the stolen files include medical diagnoses, Medical Care Plan numbers and administrative information dating back to "at least" 1996. Social insurance numbers belonging to fewer than 20 people and financial information belonging to fewer than five people were breached in the October 2021 cyberattack.
"There is no indication that the information has been misused at this time," said Eastern Health.
The latest update brings the total number of patients and employees impacted by the network drive breach to 58,200 — more than 10 per cent of the province's population.
Eastern Health said people impacted by the breach will receive letters in the mail by January.
The health authority is offering credit monitoring through Equifax, and has extended the registration deadline through Sept. 30, 2023. Eastern Health is also offering two years of credit monitoring to all patients, and five years to employees and patients whose financial information or social insurance number was accessed.
Last summer, the health authority told CBC News it was notifying 37,800 people that their information had been breached. On Thursday, a spokesperson said there is some overlap between that number and the latest update, as some of the same people previously notified will receive another notification.
Ongoing repercussions
Thursday's announcement is just the latest indication of the wide-reaching impact of the cyberattack, which caused chaos in the fall of 2021.
Provincial government officials took days to confirm the nature of the health-care disruptions, and still refuse to comment on the nature of the attack or who was responsible, citing security concerns.
A Health Department spokesperson said Health Minister Tom Osborne was not available for an interview on Thursday, but noted in a statement that the Office of the Information and Privacy Commissioner is investigating the incident.
"We will review recommendations from that report once it is released and act accordingly," said the statement.
PC health critic Paul Dinn said the provincial government's response lacks transparency.
"I think the public certainly deserve more information than what's been out there, and I think that can be done without compromising the security and what they're doing behind the scenes," he said.
Dinn said he doesn't see why the provincial government won't reveal the nature of the attack.
Last spring, CBC/Radio-Canada obtained a report completed before the cyberattack, revealing "numerous vulnerabilities, security concerns and compliance issues" in Eastern Health's network. Dinn said that revelation raises the question of trust.
"It's a tall order to be asking when people's private information is at stake," he said.
The Health Department spokesperson said the Newfoundland and Labrador Centre for Health Information has engaged cybersecurity experts for a risk assessment.
"Threat assessment and mitigation plans are part of ongoing security measures and cybersecurity processes," said the statement.
Earlier this year, The Canadian Press reported the provincial government had spent $200,000 on public relations advice related to the cyberattack. A few weeks later, then Health Minister John Haggie said the provincial government had spent just under $16 million, in all, in its response to the attack.