Cyber Incident Victim: Nova Scotia Prescription Monitoring Program

On or around May 30-31, 2023, the Government of Nova Scotia experienced a significant cybersecurity breach as part of a wider global incident involving the MOVEit file transfer application. The breach occurred before the provincial government was aware of the specific vulnerability being exploited. The Province took its instance of the MOVEit application offline on June 1, 2023, to apply a security update. However, it was taken offline again on June 2 to allow for a more thorough investigation into the extent of the compromise. Following these security actions, the MOVEit system was updated and had additional monitoring measures put in place.

The investigation into the breach was complex due to the volume of data involved. There were more than 5,800 folders stored on the MOVEit system at the time of the incident, with each folder containing multiple files and records. The process of reviewing these files to identify affected individuals and the specific nature of the compromised information was expected to take many weeks. The Department of Cyber Security and Digital Solutions led the review of impacted files, while individual government departments and external organizations that used the provincial MOVEit service were sent their specific files to review so they could conduct their own notifications.

The scope of the breach was substantial and evolved as the investigation progressed. The duplication of names across different files made it challenging to determine a definitive number of unique individuals impacted. The total count of affected Nova Scotians also changed frequently as files were reviewed. By June 14, 2023, the Province had identified several new and updated groups of affected individuals beyond those previously announced. This included approximately 13,000 active employees of regional centres for education and the Conseil scolaire acadien provincial. The compromised data for these employees included names, addresses, social insurance numbers, pension payment amounts, and gender. This group was distinct from a previously announced list of certified and permitted teachers, though some overlap was possible.

The Nova Scotia Prescription Monitoring Program (NSPMP) was significantly impacted. The number of individuals affected within this program was updated to about 480, a substantial increase from the initial figure of 60 people that had been announced on June 9. The breached data for these individuals was particularly sensitive, including health card numbers, personal health information, and demographic information.

A large number of municipal accounts were also compromised. The Region of Queens Municipality had approximately 17,500 water and tax bill accounts affected. The information accessed included names, addresses, account numbers, payment amounts, and balances owing. The Province confirmed that other financial information was not included in this breach. Separately, Halifax Water independently notified approximately 25,000 customers that their names and account numbers were part of the breach.

The healthcare sector saw additional impacts. Just over 100 patients who visited the early labour and assessment unit at the IWK Health Centre had limited personal health information breached. This information was confined to their names, dates and times of their visits, and the reason for their visits. A small number of students associated with the Department of Labour, Skills and Immigration were also affected. For five students, the breached data included name, address, social insurance number, phone number, and date of birth. For two other students, the information released was limited to name, institution, and student ID number.

The investigation also revealed that the data of recipients of Nova Scotia pensions was compromised. The number of affected pension recipients was revised downward to 900 individuals from the 1,400 reported the previous week. The information taken included their names, dates of birth, and demographic information. Furthermore, the number of incarcerated individuals whose data was compromised increased to 655 from an initial count of 500. The information accessed for these individuals included their prisoner ID numbers, names, gender, date of birth, and incarceration status.

One file of significant interest was determined not to have been compromised. Elections Nova Scotia’s voters list was on the MOVEit system so it could be shared with political parties. However, the investigation concluded that this specific file had been shared in a way that made it inaccessible and it was not breached.

On June 14, 2023, the Province announced that notification letters would begin to be sent to affected individuals by the end of that week. These letters included information about arrangements made by the government to provide a free fraud protection and credit monitoring service to those whose information was breached. The Minister of Cyber Security and Digital Solutions urged all impacted individuals to register for this service. The public was also reminded that the Province would not ask for social insurance numbers, MSI numbers, banking information, or money as part of its notification process, and to be vigilant against scammers attempting to prey on the incident. The government directed citizens to a dedicated website for updates and advice regarding the breach.