Cyber Incident Victim: Aberdeen Hospital
Date:
Aug 2020
Location:
Canada
Summary
A privacy breach at two healthcare facilities in Nova Scotia affected over 200 individuals after clerical staff inappropriately accessed personal health information through the Meditech scheduling and patient records system. The incidents, discovered during routine audits, involved employees at Aberdeen Hospital viewing appointment details and a Valley Regional Hospital clerk accessing both scheduling data and medical files, including records of family members, colleagues, and community residents. Affected individuals were notified with specifics about the unauthorized access and offered options to obtain copies of their compromised records or escalate complaints to the privacy commissioner. Nova Scotia Health emphasized irreversible impacts and stated strict disciplinary measures, including potential termination, would be enforced for such violations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2020, Nova Scotia Health disclosed two separate privacy breaches affecting 211 individuals across Aberdeen Hospital in New Glasgow and Valley Regional Hospital in Kentville. The incidents were identified through routine privacy audits, prompting internal investigations. At Aberdeen Hospital, a clerical employee inappropriately accessed appointment details within the hospital's Meditech scheduling system. Simultaneously, a clerk at Valley Regional Hospital improperly viewed both scheduling data and patient medical records through Meditech systems. Investigations revealed the employees examined diverse medical files, including those of family members, coworkers, colleagues, and other community residents. Karen Hornberger, Nova Scotia Health's provincial privacy director, characterized this pattern of accessing acquaintances' records as typical in privacy violation cases. The breaches occurred prior to their August 4 public disclosure, though exact timelines weren't specified in audit findings. Both incidents involved trusted staff members exploiting their authorized system access rather than external attackers compromising digital infrastructure.
Nova Scotia Health initiated formal notifications by sending letters to all 211 affected individuals, detailing precisely which employee accessed their records and which specific medical information was viewed. Impacted persons were offered copies of their improperly accessed health files and advised of their right to file complaints with Nova Scotia's privacy commissioner. Hornberger acknowledged the irreversible nature of such privacy violations while outlining potential disciplinary measures for involved staff, including suspension or termination. As a preventive measure, she referenced the availability of permanently sealing highly sensitive medical records for concerned patients. The health authority emphasized these breaches stemmed from individual misconduct rather than systemic security failures in Meditech systems, though no technical safeguards against insider threats were described. Response protocols focused on accountability through audit-driven detection, victim transparency, and personnel consequences rather than publicizing systemic changes to data access controls or audit frequencies.