Skip to content

2,841 patients could be affected by potential Nova Scotia Health Authority privacy breach

The possible breach was discovered by NSHA's information technology security team when an employee's email account was compromised by an unauthorized outside user performing a phishing attack
041218-nova scotia health authority logo-4x6
Nova Scotia Health Authority logo

HALIFAX — The personal health information of nearly 3,000 people may have been compromised in a phishing attack, the Nova Scotia Health Authority says.

The health authority said Monday that it is investigating a "potential" privacy breach affecting 2,841 patients.

It said the breach was discovered by its IT security team after an employee's email account was compromised through an attack that uses what appears to be a legitimate email or message to gain access to a person's account.

Karen Hornberger, provincial director of privacy for the health authority, said the Office of the Information and Privacy Commissioner was informed about the potential breach on May 13.

Hornberger said the nature of the breach became apparent a few days later.

"We discovered on May 16 that there was personal health information in the employee's inbox that was affected by the phishing attack, and it took us a little while to figure out just how many patients were impacted," she said.

Hornberger said the information related to medical procedures that were planned, scheduled or had occurred at the Colchester East Hants Health Centre in Truro, N.S.

"We have no way of knowing for certain whether or not the people who hacked into this employee's email viewed the information," Hornberger said. "We don't believe that it was viewed because typically when people take over someone's email account, it's so that they can use that account as a front to send out spam emails."

Nonetheless, she said the privacy commissioner advised the incident met the criteria for notification under the Personal Health Information Act.

Hornberger said the health authority is in the process of notifying the people affected and their next of kin by letter. It's also apologizing to those whose private information may have been viewed.

The authority said it takes several steps to ensure all employees understand their obligation to protect patient information, including ongoing education about cyber scams and phishing emails.

The Canadian Press


Rogers Media
6080 Young Street Halifax, NS, B3K 5L2 © 2006-2019 Rogers Media. All rights reserved.