[BreachExchange] Personal data of 50, 000 N.S. health-care workers may have been leaked through pension plan

Tue Mar 9 10:30:06 EST 2021

https://www.msn.com/en-ca/news/canada/personal-data-of-50000-ns-health-care-workers-may-have-been-leaked-through-pension-plan/ar-BB1ejyPY

Personal data tied to over 50,000 current and former health-care
workers in Nova Scotia may have been accessed during a recent security
breach through their pension plan.

Members are now being advised to sign up for a credit monitoring and
fraud protection service.

In a series of notices that were posted online last month, the
operators of the Nova Scotia Health Employees' Pension Plan said it
was possible for data on a third-party email server to be accessed
over a two-month period, from Nov. 25, 2020 to Jan. 25, 2021.

"NSHEPP takes individual privacy and security seriously and we
apologize to our members and employers for this situation," reads the
initial notice, dated Feb. 12.

The type of personal information that could have been accessed
includes names, addresses, dates of birth, social insurance numbers,
salaries, dates of hire, termination or retirement, and other personal
information related to administration of the pension plan.

No evidence so far that data was stolen

In another notice, posted Feb. 19, the plan operators said the
third-party email vendor, Accellion, investigated the breach but could
not determine if any of the members' information had actually been
accessed or copied.

"Out of an abundance of caution, we are working on the assumption that
all data stored during this period was potentially accessed," the
notice said.

According to the pension plan's website, it is one of the largest
registered pension plans in Nova Scotia.

Stefan Cowell, the CEO of the pension plan, told CBC in an email there
are over 50,000 members, including 36,000 still working, and 14,000
pensioners.

Cowell said the pension plan was not the only Accellion customer affected.

In a news release from Feb. 1, the company said a program used to
transfer large files "was the target of a sophisticated cyberattack."

All customers of that program were notified of the attack on December
23, 2020, the news release said.

Cowell said the pension plan has yet to see any evidence that any data
was stolen.

Pensioner worried about identity, financial theft

Reva Sweeney, one the plan's pensioners, learned about the issue on
Friday when a letter arrived at her New Waterford home. Sweeney, 70,
is a retired certified nursing assistant.

"I opened it and I was quite, well, perplexed and alarmed," Sweeney
said in an interview.

Sweeney said she's concerned that if her name, address, date of birth
and social insurance number have fallen into the wrong hands, her
identity and personal finances could be at risk.

"If your social insurance number is out there, people can make a new
Reva Sweeney ... they can open accounts, mortgages, they can start a
new person with your social insurance number."

And, she added, "If they can access your bank account, there goes your money."

Credit monitoring, fraud protection services offered

In its online postings and in the letter Sweeney received, the
operators of the plan urged members to sign up for credit monitoring
and fraud protection through Equifax — an agency the pension plan has
contracted for one year of service for its members.

Sweeney said she's glad to see steps were taken to protect members,
but she's leery about signing up for the service.

"They want you to put in that form the same information that is
compromised … that's a concern. So I think for now, myself,
personally, I'm just going to keep an eye on my own transactions and
bank accounts," she said.

Sweeney's letter is dated Feb. 26 — two weeks after the initial notice
was posted online. She said she hasn't looked at the pension plan
website in years.

"They must realize most of us don't go on their site daily or monthly
or weekly to check it. I think we should have been informed either
through the media or through this letter ... as soon as they were
informed or very shortly after.

"I think the length of time before we actually found out is — it's upsetting."

Cowell said the pension plan has tried "to be as transparent as
possible about this potential breach of data."

Email server shut down

According to its public notices, the pension plan shut down the
compromised email server immediately after learning about the breach
and started using a temporary secure file sharing program through
SharePoint. It was already in the process of transitioning to a new
email system with "more rigorous security features," scheduled for
launch later this year.

Cowell said the timing of the breach was "extremely unfortunate" given
the ongoing plans to roll out a new system.

According to Accellion's news release, the file transfer program was
20 years old and nearing end of life.

In addition to the Accellion investigation, the pension plan said told
members an independent investigator is looking into the incident.