The Nova Scotia Health Authority (NSHA) is in the process of notifying nearly 3,000 people about a potential privacy breach involving personal health information, the organization announced on Monday.
The health authority says the breach was detected by its IT team on May 13, 2019, after an employee’s email account was compromised due to a phishing attack on May 8, 2019.
A phishing attack is an email or message that appears to be legitimate but can allow someone to gain access to the individual’s email account.
Karen Hornberger, director of privacy at the NSHA, said that in this case, the employee used her username and password on a false link sent to her email, allowing access to the employee’s email inbox.
Hornberger said the breach of information was related to “surgical procedures scheduled or going to be scheduled” at the Colchester East Hants Health Centre in Truro, N.S.
The NSHA says 2,841 people and their next of kin are being notified.
Hornberger stressed that this is just a potential breach.
“We have no way of confirming what would have been viewed by the people perpetrating the attack. But there was a… possible exposure of information, and when that happens, we have a duty to inform the public,” she said.
“We do want to apologize that this happened.”
Nova Scotia’s Office of the Information and Privacy Commissioner confirmed to Global News that it had been notified of the breach.
The office says it will be following up with the NSHA about the incident but has not launched a formal investigation.
WATCH: Government not stressing cybersecurity importance with MLAs
The NSHA says it will work with the privacy commissioner to implement recommendations that may be offered in light of the breach.
The health authority has promised to push for education in response to the breach.
“We’re going to continue to educate our employees and other folks who have an NSHA email account regarding these sort of attacks and how to spot them and avoid them,” said Hornberger.
“Essentially, to not take the bait.”