NL notifies over 35,000 people about security breach

ST. JOHN’S, NL – Newfoundland and Labrador’s largest health authority has notified 37,800 people that their privacy was breached as part of last fall’s devastating cyberattack. That number equates to about one in every 13 people in the province. And according to Eastern Health, it could go even higher, CBC News reported. Those affected include patients, along with current and former employees.

The Department of Health steered interview requests to Eastern Health, which did not make anyone available for an interview. Last October, cybercriminals rocked Newfoundland and Labrador’s healthcare system.

Information was stolen, lab results were inaccessible, and procedures and treatments were delayed.

Government officials have been tight-lipped about what happened, refusing to say whether it was a ransomware attack, or who was responsible.

The initial bad news spawned by the attack got worse in March, with the revelation that the scope of the breach was worse than originally thought. More than 200,000 files had been taken from an Eastern Health network repository.

The health authority’s CEO, David Diamond, said at the time that a review had been launched to determine how many people had been affected.

“We expect the number could be large, could be thousands of individuals at the end of the day between staff and patients,” Diamond said March 30.

“But that’ll become clear as we do the work over the next six to eight weeks.”

Those weeks have now passed, and what was once “thousands of individuals” is, at this point,37,800. An emailed statement from Eastern Health suggested it could climb even higher.

“All clients who availed of an Eastern Health service at any time were impacted by the resulting breach of their personal health information,” the health authority noted.

“Our investigation of the files associated with the breach of Eastern Health’s shared drive is continuing. This review should give us a better idea of how many people are affected.”

Officials did not respond to a follow-up message from CBC News seeking clarity on the statement that “all clients who availed of an Eastern Health service at any time were impacted.”

Lee Kim (pictured), senior principal of cybersecurity and privacy for the U.S. non-profit Healthcare Information and Management Systems Society (HIMSS), says the breach underscores the importance of strong defences for IT operations.

“The harder you make it for attackers to compromise your systems, the lower it is for these cyber-attackers to want to breach us,” Kim said from Pittsburgh.

Anyone caught up in the attack should keep an eye on their medical and financial records, Kim added. “You just need to be a little bit extra-diligent,” Kim said.

To help with that, the province is offering free credit monitoring and identity theft protection services. So far more than 21,000 people have inquired about signing up, according to Eastern Health.