Nova Scotia Health Authority investigating possible privacy breach
The Nova Scotia Health Authority says the breach was discovered by its IT security team after an employee's email account was compromised through an attack.
HALIFAX -- The personal health information of nearly 3,000 people may have been compromised in a phishing attack, the Nova Scotia Health Authority says.
The health authority said Monday that it is investigating a "potential" privacy breach affecting 2,841 patients.
It said the breach was discovered by its IT security team after an employee's email account was compromised through an attack that uses what appears to be a legitimate email or message to gain access to a person's account.
Karen Hornberger, provincial director of privacy for the health authority, said the Office of the Information and Privacy Commissioner was informed about the potential breach on May 13.
Hornberger said the nature of the breach became apparent a few days later.
"We discovered on May 16 that there was personal health information in the employee's inbox that was affected by the phishing attack, and it took us a little while to figure out just how many patients were impacted," she said.
Hornberger said the information related to medical procedures that were planned, scheduled or had occurred at the Colchester East Hants Health Centre in Truro, N.S.
"We have no way of knowing for certain whether or not the people who hacked into this employee's email viewed the information," Hornberger said. "We don't believe that it was viewed because typically when people take over someone's email account, it's so that they can use that account as a front to send out spam emails."
Nonetheless, she said the privacy commissioner advised the incident met the criteria for notification under the Personal Health Information Act.
Hornberger said the health authority is in the process of notifying the people affected and their next of kin by letter. It's also apologizing to those whose private information may have been viewed.
The authority said it takes several steps to ensure all employees understand their obligation to protect patient information, including ongoing education about cyber scams and phishing emails.