Cyber Incident Victim: IWK Health Centre

On or around May 28, 2023, the IWK Health Centre was impacted by a global cybersecurity breach involving the MOVEit file transfer tool. The incident was part of a wider breach affecting the Province of Nova Scotia and numerous other organizations. The Province's Department of Cyber Security and Digital Solutions led the investigation into the broader incident, which was still in its early stages as of May 31, 2023. The investigation involved a review of files that were present on the MOVEit system to determine the scope of the impact across various government departments and public service organizations.

The breach at the IWK Health Centre specifically affected patients who had visited the early labor and assessment unit. The investigation determined that the personal health information of just over 100 patients was compromised. The data breached was limited to names, dates and times of the patients' visits, and the reason for their visit to the unit. This incident was disclosed by the Province of Nova Scotia as part of a larger announcement detailing the impact of the MOVEit breach on various groups within the province.

The IWK Health Centre incident was one component of a significantly larger data exposure. The Province identified that approximately 13,000 active employees of regional centers for education and the Conseil scolaire acadien provincial were affected. The compromised data for these individuals included names, addresses, social insurance numbers, pension payment amounts, and gender. The breach also impacted around 480 individuals in the Prescription Monitoring Program, with compromised data that included health card numbers, personal health information, and demographic details. This figure was an update from an initial announcement which had stated only 60 people were impacted in this group.

Furthermore, the breach impacted approximately 17,500 water and tax bill accounts with the Region of Queens Municipality. The information exposed included names, addresses, account numbers, payment amounts, and outstanding balances, though it did not include other financial data. Information from five students in a Department of Labour, Skills and Immigration file was also released, including names, addresses, social insurance numbers, phone numbers, and dates of birth. Two other students had their names, institutions, and student ID numbers exposed. The number of incarcerated individuals impacted rose from an initial count of 500 to 655, with compromised data including prisoner ID numbers, names, genders, dates of birth, and incarceration statuses. Conversely, the number of recipients of Nova Scotia pensions affected decreased from 1,400 to 900, with exposed data including names, dates of birth, and demographic information.

The response to the incident was coordinated by the Province of Nova Scotia. Colton LeBlanc, the Minister of Cyber Security and Digital Solutions, announced that notification letters would be sent to impacted parties starting at the end of the week following May 31. These letters were to provide information about free fraud protection and credit monitoring services that the Province had arranged for affected individuals. The Minister urged all those who received a letter to register for these services. The process of notification was handled by individual government departments and organizations that utilized MOVEit; they were sent their respective files to review and were responsible for notifying the affected individuals accordingly. A precise count of affected Nova Scotians was challenging to determine due to duplication of names across the various breached files, and the total number continued to fluctuate as the file review process was ongoing.