Nova Scotia’s Department of Community Services was the hardest hit by a data breach of one of the government’s websites earlier this year, internal emails and memos released under freedom of information requests reveal.
The Freedom of Information and Protection of Privacy Portal (FOIPOP) website, which was originally breached between March 3 and March 5, was taken down on April 5 when officials with the Department of Internal Services — which is responsible for the FOIPOP website — were first informed by a provincial employee that it was possible to inadvertently access documents through the portal.
At the time, the province said more than 7,000 documents were inappropriately downloaded as a result of the breach, and 250 of the documents contained “highly sensitive” personal information such as social insurance numbers, birth dates and personal addresses.
The government’s internal emails — dated between April 7 and April 16 and sent to the Office of Premier Stephen McNeil — indicate that the government actually increased their internal assessment of the number of documents with highly sensitive personal information to 369.
“We have completed a deeper analysis, including a more robust document review,” an internal memo reads.
“This has uncovered there were more with sensitive information than expected. This is the final number for personal sensitivity.”
This reassessment also provides the first indication of which parts of the government were most affected by the breach.
Of the 369 documents containing highly sensitive personal information, 273 (74 per cent) came from the Department of Community Services, which deals with income assistance, employment support, and child and youth services.
The province’s Department of Justice, Public Service Commission, Department of Transportation and Infrastructure Renewal, and Immigration round out the other offices most affected by the breach, although the number of sensitive documents downloaded from each of these departments was far below the Department of Community Services’ tally.
WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation
As of Tuesday the FOIPOP website remains offline — 110 days after it was first shut down.
The government has previously said that they are considering options that would transform the FOIPOP site into something new rather than what it resembled before.
“Our focus remains to get the access to the publicly available information back online. We hope to have an update soon on that aspect,” said Michelle Stevens, a spokesperson for department of internal services.
Unisys, the company in charge of the portal, has been offered a one-year extension at a cost of $120,000.
The new contract will separate control of the public disclosure portion of the site, and Unisys will no longer run that aspect of the portal.
“We didn’t feel that it was an appropriate partnering,” said Internal Services Minister Patricia Arab at the end of June.
“So we’re looking to have something along the lines of our Open Data website.”
The province’s Open Data website is run by Socrata. The province says it will sole-source a contract to run the public disclosure portion of the FOIPOP site but will not say whether Socrata is going to be tapped for that work.
“One year, hopefully, will give us the time for the (FOIPOP) site to see how we’re going to proceed,” Arab said.
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the Department of Internal Services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote in a letter requesting the auditor general’s services that the two investigations will be supportive and complementary of one another.
— With files from Sarah Ritchie and The Canadian Press