A major cyber attack in British Columbia may have resulted in the theft of personal information belonging to hundreds of thousands of people working in the province’s health-care sector.
At a briefing Tuesday, health officials revealed the attack targeted three professional service websites hosted by the Health Employers Association of British Columbia (HEABC), which represents 200 public health sector employers and conducts most bargaining with health-care workers.
Attackers were able to access a server hosting the sites and application forms for Health Match BC, the BC Care Aide and Community Health Worker Registry, and the Locums for Rural BC programs.
HEABC president and CEO Michael McMillan said the attack was discovered July 13, and that officials immediately shut the server down and moved data to a clean server with more security.
He said officials have not been able to conclusively determine which information was taken, but that the server hosted about 240,000 email addresses, along with other data.
“The personal information that may have been taken through the attack varies significantly by program and individual but could include personal email addresses, birthdates, social insurance numbers, passport information, driver’s licences, educational credentials, investigative reports and other information relating to individual dealings with the relevant programs,” he said.
“I sincerely regret that this attack happened, and I want to reassure everyone that we are working with cybersecurity and privacy experts to address the incident, safeguard against future attacks, and notify and support individuals whose personal information may have been involved.”
The breach does not affect any patient records or data within the provincial government’s health-care network, Health Minister Adrian Dix said.
“I want to be clear that there are no successful breaches on the bc government data systems, no patient information and no information in government systems have been compromised,” Dix said.
“The ministry and health authorities have security measures to protect our systems against attacks and are committed to strong privacy and security control. we’re continuously assessing health sector applications and infrastructure for vulnerabilities to cybersecurity threats.”
Dix acknowledged that the attack “will cause considerable concern among the individuals who may have been affected,” but added that the HEABC had acted swiftly to secure data once it learned of the attack.
McMillan said the HEABC had notified B.C.’s information and privacy commissioner, the Canadian Centre for Cyber Security and law enforcement about the breach and launched its own investigation with the help of third-party cybersecurity experts.
While it is not yet clear exactly how many people whose information was on the system was affected, McMillan said out of an abundance of caution the HEABC was acting as if all of it had been accessed.
The HEABC is in the process of notifying all potentially affected people and will be offering two years of service with Equifax, an international credit monitoring and identity protection firm.
In the meantime, the affected programs continue to operate, though their public-facing websites are down.
Health-care workers can still sign up for the programs by contacting them directly to register.
Dix said the province was working to ensure the breach did not significantly slow down B.C.’s efforts to recruit new health-care workers.