Cyber Incident Victim: Valley Regional Hospital

In August 2020, Nova Scotia Health disclosed two separate privacy breaches affecting 211 individuals across Aberdeen Hospital in New Glasgow and Valley Regional Hospital in Kentville. The incidents were identified through routine privacy audits, prompting internal investigations. At Valley Regional Hospital, a clerical employee improperly accessed the Meditech electronic health record system, viewing both appointment scheduling data and detailed patient medical records. A similar breach occurred at Aberdeen Hospital, where another clerical worker exploited the same Meditech scheduling system to examine appointment information. Investigators determined the unauthorized accesses spanned multiple categories, including medical files of family members, coworkers, colleagues, and unrelated community residents. The health authority characterized the incidents as "snooping" by staff members abusing their legitimate system access privileges rather than external attacks.

Nova Scotia Health initiated formal notification procedures by sending letters to all 211 affected individuals, specifying which employee accessed their records and which portions of their health information were viewed. The health authority offered impacted parties copies of the improperly accessed medical files and provided instructions for filing complaints with Nova Scotia's privacy commissioner. Karen Hornberger, Provincial Director of Privacy, emphasized the irreversible nature of such breaches while outlining consequences for the employees involved, including suspensions and potential termination. Hornberger also referenced the availability of extreme measures such as permanently sealing particularly sensitive medical records to prevent future unauthorized access. The health authority reinforced existing audit protocols but did not announce systemic technical changes to the Meditech platform, focusing instead on disciplinary actions and individual accountability.