December 14, 2021
As the ongoing investigation into the cyberattack that occurred in October 2021 continues, Central Health wishes to advise the public that additional information is now available as detailed below.
Initially, it was disclosed that some personal health information of clients who received services from Central Health over approximately the last 13 years was involved. This includes information used at registration for services such as name, address, health care number (MCP), who you are visiting, and reason for visit, physician name, and phone number, date of birth, and email address for notifications, inpatient/outpatient, maiden name and marital status.
The Regional Health Authority has since been provided updated information regarding the breach pertaining to the province as a whole and it is summarized as follows:
Social Insurance Numbers (SINs) for a Small Number of Patients
Provincially, it has been determined that social insurance numbers for a relatively small group of patients was involved in this breach. A total of 2,514 patients had SINs breached and, because more than half of these patients are now deceased, approximately 1,025 patients will receive direct notification.
In the coming week, direct notification letters will be sent from impacted Regional Health Authorities to those patients whose SIN was breached with an offer of five years of credit monitoring and identify theft protection at no cost to them. Central Health can confirm at this time, 520 patients were impacted by this breach however Central Health will only be contacting 102 patients of Central Health as the others are deceased. Direct notification will be completed through letter correspondence in the following days.
RHA Patients with Bloodwork and Specimens Analyzed at Eastern Health Provincial Lab
Patients who had specialized bloodwork and specimens collected at any Regional Health Authority or private clinics, where the blood or specimens had to be analyzed by Eastern Health in the last 11 years, had their personal health information collected during registration and are involved in this breach. This includes COVID testing that was processed in the provincial lab at Eastern Health.
It is important to note that this does not include any test results, but the personal health information provided at registration.
Any patient who had their personal health information impacted in this breach can enroll for two years of credit monitoring and identify theft protection services from Equifax.
Updates to the Date Ranges of the Breach for Central Health
The date ranges for this breach have been updated for some of the Regional Health Authorities for both employee and patient information. Employee information involved information such as name, address, contact information and Social Insurance Number. There is no evidence that banking information of employees was involved.
The date ranges for RHA employees and former employees have been updated, as follows:
Central Health for about the last 28 years as opposed to 13 years as was previously reported .
Some of the patient information involved is the type of information that is typically logged and used when a person comes for an appointment, such as name, address, health care number (MCP), reason for visit, their doctor, phone number, birth date, email address for notifications, in-patient/out-patient status, maiden name and marital status.
The updated information and date ranges of the breach for patients is as follows:
Central Health for about the last 15 years as opposed to 13 years as was previously reported
Credit monitoring and identify theft protection services through Equifax are available for five years free of charge for any employee or patient who had their SINs breached, and for patients with personal health information breached this service is available for two years.
Additional information is available here. To access Equifax credit monitoring services, please call 1-833-718-3021.
Everyone is encouraged to remain vigilant and take steps to protect their information. If you notice any unusual activity in any of your accounts or your account statements, please contact your service providers such as your bank, or report this activity to the RCMP. Further information on how to protect your information is available here.
The investigation is still ongoing and such complex investigations require detailed analysis to determine the exact nature of the information involved. It is expected that new details will continue to be identified as the investigation and analysis continues, Central Health will continue to provide additional updates, as they become available.
On behalf of Central Health, we would like to apologize to you and provide assurance of our continued commitment to quality service and protection of your privacy. If you are not satisfied with Central Health’s response to this privacy incident, you have the right to contact the OIPC. This Office has oversight of two Acts, one of which is the Personal Health Information Act (PHIA); this oversight includes receiving complaints and investigating breaches of personal health information.
OIPC NL wishes to advise, however, that the Commissioner has already decided to launch a privacy investigation. Unless you believe there are very specific circumstances particular to your own case that would warrant an individual complaint, it won’t be necessary for individuals to file a complaint. If you have any questions or aren’t sure if you should file an individual complaint, feel free to contact the OIPC to discuss further. The Office may be contacted through the following address:
Office of the Information and Privacy Commissioner
2 Canada Drive
P. O. Box 13004, Stn. A
St. John’s, NL. A1B 3V8
Telephone: (709) 729-6309
Facsimile: (709) 729-6500
We encourage patients and employees to remain vigilant, as always, regarding your personal information.
If you have any further questions or concerns, please feel free to contact the Central Health privacy representative at firstname.lastname@example.org.
Gayle St. Croix
Director of Communications and Government Relations
cell: (709) 572 1165