Some patient SINs stolen in N.L. cyberattack

The social insurance numbers of more than 2,500 patients were stolen in an October cyberattack on Newfoundland and Labrador's health-care system and the head of the province's largest health authority saysthey weren't even supposed to have collected that information.

During a media briefing on Tuesday, Eastern Health president and CEO David Diamond saidsocial insurance numbers are not normally collected during registration, and the health authority is reviewing how and why that information was collected.

"Mitigation plans are being developed as we speak to prevent this from happening again," Diamond said.

He said there is a field for collecting social insurance numbers on the patient intake form, and employees may have accidentally collected them during patient registration.

"We actually don't see that there was ever a need for social insurance numbers to be collected that way," he said. "In many cases this may simply have been human error."

Most of the 2,514 patients affected are in the Eastern Health region, but there are some in the Central Healthand Labrador-Grenfell Health regions.

On top of that, other personal health information of patients from all four regional health authorities who have had blood work or other laboratory tests including anyone who's had a COVID-19 test analyzed through Eastern Health has been stolen.

While personal health information was accessed, test results were not, said Diamond.

More employees affected

The health authorities have also changed the time frameto include more employees.

Eastern Health previously said employee and patient data going back 14 years had been taken in the attack.

On Tuesday, Diamond said the investigation shows employee data going back 28 years and patient data going back 11 years has been compromised.

"We will be making every effort to identify individuals and ensure that they are notified," Diamond said, though he also encouraged people to be proactive if they believe their information has been compromised.

Of the 2,514 patients who had their social insurance numbers stolen, 1,970are in Eastern Health, though the majority are now deceased said Diamond.Eastern Health is notifying 900 patientsthat their social insurance numbers have been compromised, he said.

In the Central Health region, employee data going back 28 years and patient data going back 15 yearshas been stolen, said Diamond, who said 520 patientshave had their social insurance numbers taken,though most of them are now deceased.

WATCH: N.L. health officials provide update on cyberattack

In the Labrador-Grenfell Health region, the social insurance numbers ofabout 20 patients have been stolen,though four of those patients are now deceased, said CEO Heather Brown.

"We will be contacting the remaining patients through mailed letters," Brown said.

The investigation has now confirmed that employee information going back eight years has been compromised, rather than nine years as previously reported. The breach still goes back nine years for patient information.

In Western Health, interim CEO Michelle House said their systems were not breached, but some patients' personal health information that was part of laboratory tests like blood work or COVID-19 tests, which are sent to Eastern Health for analysis has been compromised.

She said there is no evidence to suggest the social insurance numbers or test results of Western Health patientshave been stolen.

Patients who have had their personal health information compromised in thecyberattack can avail of two years of free credit monitoring, while employees and patients who have had their social insurance numbers stolen can avail of five years of credit monitoring, paid for by the province.

No new info about perpetrators

Justice Minister John Hogan wouldn't give anynew information about the investigation into the attackbut saidmost systems and services have been restored.

"We're not in a position to speculate and provide speculative information to the public," he said.

Hogan said he doesn't know how much the cyberattack will cost the province. He said the province is strengthening its IT systemsbut did not provide specific information about which systems are being strengthened and how.

"We are going to do everything we can in our power to strengthen our IT systems as we move forward," he said.

Diamond said he can't explain why data going back 28 years was stored on an unencrypted server.

"That will be part of the ongoing investigation and review," he said.

In November, PC Opposition leader David Brazil pointed to Meditech, the system that manages health-care information in the province, as a possible weak point in cybersecurity that might have allowed the cyberattack to occur.

On Tuesday, Diamond said that while the Meditech system is aging, there is no indication it was a factor in the attack.

"It is an old work engine that has served us well for a long time," he said.

Read more from CBC Newfoundland and Labrador