Cyber Incident Victim: Nova Scotia Health Authority

On or around May 19, 2023, the Nova Scotia Health Authority, along with broader provincial government services, fell victim to a significant data breach. This incident was part of a global cybersecurity event involving the exploitation of a zero-day vulnerability in the MOVEit file transfer tool, which is developed by Progress Software. The attackers, identified as the Clop ransomware group, exploited this vulnerability to gain unauthorized access to systems and exfiltrate data. The breach was not detected immediately by the province; instead, the government became aware of the incident on May 30, 2023, after the threat actors began listing the province as a victim on their dark web leak site. This public claim by the attackers prompted the initiation of an official investigation.

The provincial government's investigation, led by the Department of Cyber Security and Digital Solutions, aimed to determine the scope and scale of the data theft. The MOVEit application was taken offline on June 1, 2023, to apply a necessary security update provided by the vendor. It was taken offline a second time on June 2 for further investigation before being brought back online with the security update applied and additional monitoring implemented. The forensic analysis involved staff across all government departments meticulously reviewing the stolen files to identify what specific data was taken and which individuals were impacted. This process was prioritized based on the level of risk to the affected Nova Scotians.

By May 31, 2023, the province had released an initial assessment of the breached records, which was subsequently updated with more details on June 9, 2023. The investigation revealed a vast and diverse set of stolen data affecting numerous groups. The breach extended to a wide cross-section of the public and public service employees. A major impact was on approximately 55,000 records of past and present certified and permitted teachers in Nova Scotia. The stolen information included names, addresses, dates of birth, years of service, and educational background. Notably, this dataset did not include social insurance numbers or banking information.

The breach also impacted approximately 26,000 students aged 16 years and older. The information taken included their dates of birth, gender, student ID numbers, school names, civic addresses, and mailing addresses. This data was in the system because it had been shared with Elections Nova Scotia. Within the healthcare system, the breach was particularly severe. It affected about 1,330 people listed in the Department of Health and Wellness client registry, with stolen data including names, addresses, dates of birth, and health card numbers. At least 150 healthcare providers, including doctors, specialists, nurses, and optometrists, were also impacted, with assessments ongoing. Their stolen information included names, addresses, and dates of birth, but not social insurance numbers or banking details. Furthermore, about 60 people in the Prescription Monitoring Program had their names, addresses, dates of birth, health card numbers, and personal health information stolen. A highly sensitive incident involved 41 newborns born between May 19 and 26; their stolen information included last name, health card number, date of birth, and date of discharge.

Other affected groups included approximately 5,000 owners of short-term accommodations listed in the Tourist Accommodations Registry, whose names, owner addresses, property addresses, and registration numbers were taken. About 3,800 people who had applied for jobs with Nova Scotia Health had their demographic data and employment details stolen, though social insurance numbers were not included in this batch. Approximately 1,400 Nova Scotia pension plan recipients had highly sensitive information stolen, including their names, social insurance numbers, dates of birth, and demographic data. The breach also impacted the justice system, with about 500 people in provincial adult correctional facilities having their names, dates of birth, gender, prisoner ID numbers, and status in the justice system stolen. Additionally, 54 people issued summary offence tickets had their names, driver’s licence numbers, and dates of birth taken.

Smaller, more specific groups were also affected. This included 1,085 people who were issued Halifax Regional Municipality parking tickets; their names, addresses, and licence plate numbers were stolen. About 100 Nova Scotia Health vendors had product and pricing information taken, though their banking information did not appear to be included. Finally, 54 clients of the Department of Community Services had their names, addresses, client IDs, and transit pass photos exfiltrated. The provincial government acknowledged the challenge in estimating the exact number of unique individuals affected due to the potential for duplicate records across these different datasets. For example, a single individual could be a certified teacher, a civil service employee, and a recipient of a parking ticket.

In response to the breach, the government's primary action was to assess the full extent of the incident and directly notify all impacted individuals. The Province stated its intention to begin sending individual notification letters as soon as the week following June 9, 2023. For anyone whose sensitive personal information, such as a social insurance number, was confirmed to have been stolen, the government committed to providing credit monitoring and fraud protection services. Details of these services were to be included in the notification letters. Public communication was a key component of the response. The Minister of Cyber Security and Digital Solutions, Colton LeBlanc, addressed the public, acknowledging the concern the detailed information would cause and stating that no individual or organization is immune from cyber threats. The government also issued warnings about scammers potentially using the incident to prey on people, explicitly stating that the Province would not ask for social insurance numbers, MSI numbers, banking information, or money during its notification process.

The government provided additional resources for the public. A dedicated webpage was established at novascotia.ca/privacy-breach to provide ongoing updates and information on the breach, including advice for potential victims. People were directed to federal resources for protecting social insurance numbers and for general cyber-safety information available through the Get Cyber Safe campaign. The immediate consequences of the breach were the exposure of a massive quantity of highly sensitive personal information belonging to tens of thousands of Nova Scotians, creating a significant risk of identity theft and fraud. The long-term consequences involved the immense effort required by the government to manage the incident response, investigate fully, and provide support to those affected, all while managing public concern and maintaining transparency about the ongoing findings of their investigation.