Personal data of 50,000 N.S. health-care workers may have been leaked through pension plan
Names, birthdays, addresses, social insurance numbers among the information compromised
Personal data tied to over 50,000 current and former health-care workers in Nova Scotia may have been accessed during a recent security breach through their pension plan.
Members are now being advised to sign up for a credit monitoring and fraud protection service.
In a series of notices that were posted online last month, the operators of the Nova Scotia Health Employees' Pension Plan said it was possible for data on a third-party email server to be accessed over a two-month period, from Nov. 25, 2020 to Jan. 25, 2021.
"NSHEPP takes individual privacy and security seriously and we apologize to our members and employers for this situation," reads the initial notice, dated Feb. 12.
The type of personal information that could have been accessed includes names, addresses, dates of birth, social insurance numbers, salaries, dates of hire, termination or retirement, and other personal information related to administration of the pension plan.
No evidence so far that data was stolen
In another notice, posted Feb. 19, the plan operators said the third-party email vendor, Accellion, investigated the breach but could not determine if any of the members' information had actually been accessed or copied.
"Out of an abundance of caution, we are working on the assumption that all data stored during this period was potentially accessed," the notice said.
According to the pension plan's website, it is one of the largest registered pension plans in Nova Scotia.
Stefan Cowell, the CEO of the pension plan, told CBC in an email there are over 50,000 members, including 36,000 still working, and 14,000 pensioners.
Cowell said the pension plan was not the only Accellion customer affected.
In a news release from Feb. 1, the company said a program used to transfer large files "was the target of a sophisticated cyberattack."
All customers of that program were notified of the attack on December 23, 2020, the news release said.
Cowell said the pension plan has yet to see any evidence that any data was stolen.
Pensioner worried about identity, financial theft
Reva Sweeney, one the plan's pensioners, learned about the issue on Friday when a letter arrived at her New Waterford home. Sweeney, 70, is a retired certified nursing assistant.
"I opened it and I was quite, well, perplexed and alarmed," Sweeney said in an interview.
Sweeney said she's concerned that if her name, address, date of birth and social insurance number have fallen into the wrong hands, her identity and personal finances could be at risk.
"If your social insurance number is out there, people can make a new Reva Sweeney ... they can open accounts, mortgages, they can start a new person with your social insurance number."
And, she added, "If they can access your bank account, there goes your money."
Credit monitoring, fraud protection services offered
In its online postings and in the letter Sweeney received, the operators of the plan urged members to sign up for credit monitoring and fraud protection through Equifax — an agency the pension plan has contracted for one year of service for its members.
Sweeney said she's glad to see steps were taken to protect members, but she's leery about signing up for the service.
"They want you to put in that form the same information that is compromised … that's a concern. So I think for now, myself, personally, I'm just going to keep an eye on my own transactions and bank accounts," she said.
Sweeney's letter is dated Feb. 26 — two weeks after the initial notice was posted online. She said she hasn't looked at the pension plan website in years.
"They must realize most of us don't go on their site daily or monthly or weekly to check it. I think we should have been informed either through the media or through this letter ... as soon as they were informed or very shortly after.
"I think the length of time before we actually found out is — it's upsetting."
Cowell said the pension plan has tried "to be as transparent as possible about this potential breach of data."
Email server shut down
According to its public notices, the pension plan shut down the compromised email server immediately after learning about the breach and started using a temporary secure file sharing program through SharePoint. It was already in the process of transitioning to a new email system with "more rigorous security features," scheduled for launch later this year.
Cowell said the timing of the breach was "extremely unfortunate" given the ongoing plans to roll out a new system.
According to Accellion's news release, the file transfer program was 20 years old and nearing end of life.
In addition to the Accellion investigation, the pension plan said told members an independent investigator is looking into the incident.
Clarifications
- An earlier version of this story said the pension plan had 30,000 members. The information was taken from the plan's website. Stefan Cowell, the CEO of the pension plan, told CBC in an email there are over 50,000 members.Mar 06, 2021 3:58 PM EST