HEABC says measures underway after cyber security attack and potential data breach

THE Health Employers Association of British Columbia (HEABC) said on Tuesday that it is working diligently to address the potential impacts of a cyber-security attack on one of its servers.

The illegally breached server hosts three provincial health professional service websites managed by HEABC including Health Match BC (HMBC), the BC Care Aide and Community Health Worker Registry and the Locums for Rural BC program.

This incident does not impact health records throughout the health care sector.

“HEABC works hard to protect the privacy of everyone who accesses our online services, and today it is important to let people know their personal information may have been taken through a cyber-attack,” said HEABC President and CEO, Michael McMillan.

“We recognize this may create questions and concerns for individuals. I sincerely regret that this potential breach happened and reassure everyone that we are working with cybersecurity and privacy experts to address the incident, safeguard against any future vulnerabilities, and notify and support individuals whose personal information may have been involved.”

On July 13, HEABC learned that information had been taken from its systems and subsequently identified that the information taken may have included personal information. While not all information in the affected databases was taken, HEABC said it is not able to conclusively determine which information was involved and is therefore treating all the information as having been potentially taken.

Upon discovering the potential breach, HEABC immediately shut down the affected server and websites, engaged cyber security experts to launch an investigation to determine the scope and nature of the attack, and implemented additional security measures to ensure that the services affected are safely reinstated as quickly as possible.

This incident is limited to specific application forms and other information on the server supporting HMBC, Locums for Rural BC and the BC Care Aide and Community Health Worker Registry.

The personal information that may have been taken through the attack could include personal email addresses, birthdates, social insurance numbers, passport information, driver’s licenses, educational credentials, investigative reports, and other information relating to individuals’ dealings with the relevant programs. Individuals who provided personal information through these websites may have been impacted.

HEABC is not able to identify how many individuals’ information is potentially involved in this incident. While there were approximately 240,000 unique email addresses in the relevant databases, some individuals used more than one email address in their dealings with HEABC.

While HEABC has not identified any misuse of information arising from this incident, as a precautionary measure it said it is notifying individuals whose personal information was potentially involved, as appropriate, and offering two years of credit monitoring and identity protection services with Equifax. In the meantime, individuals are able to review its FAQs at FAQ.healthmatchbc.orgFAQ.locumsruralbc.ca, or FAQ.cachwr.bc.ca.

HEABC has notified the Office of the Information and Privacy Commissioner and the Canadian Centre for Cyber Security and has reported the incident to law enforcement.

While HEABC continues its investigation and response to this cyber-attack, some of the services provided by HMBC, Locums for Rural BC, and the BC Care Aide and Community Health Worker Registry are disrupted. Public-facing websites for these programs remain offline and job boards are not visible to anyone without an account. Existing/returning users of these services continue to have access to their accounts by logging in through web pages which have been set up on a clean server not affected by the incident. New users can access Health Match BC and Locums for Rural BC job boards by contacting the individual programs to set up an account.

HEABC said it is committed to taking all necessary steps to safeguard its systems and the data entrusted to the organization.  To that end, HEABC has engaged leading cybersecurity and other experts in its continuing investigation to ensure that all systems are secure and to guard against any future attacks, and is working to restore services as quickly as possible. In the short term, the focus will be on restoring access to basic program information and full access to job postings and applications.

The Health Employers Association of BC (HEABC) represents over 200 publicly funded health care employers. HEABC is the accredited bargaining agent for most publicly funded health employers in the province.

Additional information and ongoing updates will be available online at www.heabc.bc.ca