Nova Scotia

2,841 patients hit by 'potential' privacy breach at Truro hospital

The Nova Scotia Health Authority says it took nearly a month to figure out how many people were affected by a "potential" privacy breach after employee fell victim to a "phishing attack."

Breach includes private information of surgical patients at Colchester East Hants Health Centre

The privacy breach involves health information of patients who were either scheduled for surgery or contemplating surgery at the Colchester East Hants Health Centre in Truro, N.S. (Robert Short/CBC)

The Nova Scotia Health Authority says it took nearly a month to figure out how many people were affected by a "potential" privacy breach, and is now in the process of telling the 2,841 patients.

The incident was first reported on May 13, when an employee fell victim to a "phishing attack."

They received an email pretending to be from an information technology department, threatening to shut down their account if they didn't verify their username and password. The email was a scam.

"We had to investigate what information was in the employee's inbox," Karen Hornberger, provincial director of privacy at the health authority, said Monday of the delay in informing the public.

"The employee is a part-time employee so we had to look at the different reports and determine the number of patients impacted by the breach."

Hornberger said the emails contained the health information of patients who were either scheduled for surgery or contemplating surgery at the Colchester East Hants Health Centre in Truro. 

She said officials don't believe the information has been used improperly. 

"Because of the size of it, the number of people involved, we've classified it as a severe breach," she said. "But as far as the information exposed, it would be more of a moderate breach."

Karen Hornberger, the health authority's director of privacy, said officials don't believe the information has been used improperly. (Steve Lawrence/CBC)

The health authority sent letters to those affected on Monday. Hornberger said sending a letter is considered to be the best practice in these circumstances.

A recent CBC News investigation revealed the health authority had about 100 breaches a month over the last few years. While the vast majority of those cases were minor, the health authority couldn't say how many people had their information improperly shared. 

"We're doing a push to educate our staff, we've got some new materials coming out, we sent a memo out about phishing breaches," Hornberger said. "It's already part of our current educational platform for privacy."

The organization said Nova Scotia's information and privacy commissioner has been notified.