Cyber Incident Victim: Health Employers Association of BC

On July 13, 2023, the Health Employers Association of BC (HEABC) discovered that it had fallen victim to a cyber-attack. The organization learned that information housed on a compromised server had been taken from its systems. Subsequent investigation identified that the information taken may have included personal data belonging to individuals who had used its services. This breach represented a significant incident involving the potential exposure of sensitive information. The server in question hosted websites and application forms for three distinct provincial health services managed by HEABC: Health Match BC (HMBC), the BC Care Aide and Community Health Worker Registry, and the Locums for Rural BC program. These platforms are critical for the recruitment and registration of healthcare workers within the province, indicating that the compromised data likely pertained to individuals within or seeking to join the healthcare sector.

Upon discovery of the incident, HEABC took immediate action by shutting down the affected server and the associated websites to contain the breach and prevent further unauthorized access or data exfiltration. The organization also implemented additional security measures with the stated goal of ensuring that the affected services could be safely reinstated as quickly as possible. This response highlights the immediate priority of securing the infrastructure to protect against ongoing threats. The swift shutdown suggests the attack was considered serious enough to warrant taking critical online services offline, which would have impacted the operations of the three health programs. The commitment to reinstating services safely indicates a careful balance between resuming normal operations and ensuring the vulnerabilities that led to the breach were adequately addressed.

HEABC followed established protocols for reporting such incidents by notifying relevant authorities. The organization formally notified the Office of the Information and Privacy Commissioner (OIPC), which is responsible for overseeing compliance with privacy legislation in British Columbia. HEABC also reported the incident to the Canadian Centre for Cyber Security, the national agency dedicated to cybersecurity, and to law enforcement agencies. These notifications are a standard and crucial part of the response process, engaging regulators, national cybersecurity experts, and criminal investigators. Reporting to law enforcement also signifies that the cyber-attack was treated as a potential criminal act, possibly involving ransomware or other malicious activities by threat actors.

In compliance with the requirements set forth by the OIPC, HEABC undertook the process of notifying individuals whose personal information may have been compromised in the attack. The organization recognized the gravity of the situation and the concern it would generate among those affected. To support these individuals, HEABC partnered with EquiFax Canada to provide credit monitoring services where appropriate. This offering is a common mitigation step intended to help protect individuals from potential identity theft or fraud that could arise from the misuse of their stolen personal information. The provision of these services demonstrates an acknowledgment of the potential harm to individuals and an attempt to provide a tangible form of redress and security.

The President and CEO of HEABC, Michael McMillan, issued a public statement expressing regret that the event had occurred. He reassured the public that the organization was working diligently with cybersecurity and privacy experts to address the incident comprehensively. The statement emphasized HEABC's focus on safeguarding against future vulnerabilities and on supporting the individuals whose personal information may have been involved. McMillan's message underscored the seriousness with which HEABC treats its responsibility to protect the privacy of everyone who accesses its online services. He acknowledged the trust placed in the organization by individuals who provide their information and affirmed HEABC's commitment to managing the incident with their best interests as the primary focus.

To assist individuals who received a notification about the breach, HEABC directed them to dedicated online resources for each of the three affected programs. Specific FAQ websites were established for Health Match BC, Locums for Rural BC, and the BC Care Aide and Community Health Worker Registry. These resources were likely created to provide affected individuals with detailed information about the breach specific to the service they used, answers to common questions, and guidance on the steps they should take to protect themselves. The creation of these tailored resources indicates an effort to manage communications effectively and provide clear, program-specific support rather than a generic response.

The Health Employers Association of BC is a major organization within the provincial healthcare landscape, representing over 200 publicly funded health care employers. Its members include both small affiliate organizations and large, comprehensive health authorities with thousands of employees. HEABC serves as the accredited bargaining agent for most publicly funded health employers in British Columbia, negotiating six major provincial agreements that cover 170,000 unionized health care employees. Furthermore, its Physician Services team oversees and coordinates the negotiation of provincial and local physician contracts. This context is important as it illustrates the scale and significance of the organization that was attacked. The breach did not target a small entity but a central coordinating body within the province's healthcare system, which handles vast amounts of sensitive human resources and labour relations data.

HEABC also plays a provincial leadership role in strategic planning related to human resources and labour relations. It is a key provider of support and leadership for elements of the province’s Health Human Resources Strategy. This includes partnering with the government, health employers, and other stakeholders on marketing and recruitment campaigns for health professionals and creating expedited pathways to residency for foreign-trained professionals. The cyber-attack on an organization with such a central role potentially impacts a wide swath of the healthcare ecosystem in British Columbia, from individual care aides and community health workers to physicians and locums working in rural areas. The compromised data could include information on individuals at various stages of their professional careers, from applicants seeking employment to established professionals registered with the province.

The incident represents a serious compromise of systems dedicated to supporting healthcare workforce infrastructure. While the exact nature and scope of the cyber-attack were not detailed in the public statement, the fact that data was taken confirms it was a successful exfiltration event rather than a simple disruption of service. The targeting of application forms suggests that the stolen personal information could include a range of data types typically collected during recruitment and registration processes, such as names, addresses, contact information, educational qualifications, work history, and possibly even more sensitive identifying information. The potential exposure of such data poses significant risks to the affected individuals, making the provision of credit monitoring a necessary protective measure.

HEABC's public communication focused on transparency and accountability following the breach. By publicly announcing the incident, detailing the steps taken in response, and providing resources for affected individuals, the organization demonstrated a commitment to handling the situation in accordance with best practices for incident response and public communication. The statement from the CEO aimed to manage public perception and maintain trust by expressing regret and outlining a clear path forward focused on support and enhanced security. The entire response framework, from technical containment to regulatory reporting and public notification, illustrates a structured approach to managing a significant cybersecurity event within a critical sector.