A cyberattack on three websites hosted by the Health Employers Association of British Columbia may have seized the personal information of thousands of people working or applying to work in B.C.’s public health care sector,
Michael McMillian, CEO of the association, said stolen information could include social insurance numbers, home addresses, passport and driver’s licence details, along with other personal information. He said 240,000 email addresses alone were possibly taken.
The cyberattack targeted three websites recruiting physicians, nurses and other health professionals: Health Match B.C., Locums for Rural B.C. and the B.C. Care Aide & Community Health Worker Registry.
B.C. has been on a major recruitment drive to attract desperately needed health-care workers to the province.
“I sincerely regret this event happened and I want to reassure everyone that we are working with cybersecurity and privacy experts to address the incident,” said McMillian.
“We know that not all of the information in the potentially affected databases was taken, however, at this time we are not able to conclusively determine which information was involved,” he said.
Individual health records have not been affected and the breach is not associated with a ransomware attack, according to McMillian.
The attack was detected on July 13, although McMillian says the hackers responsible were found to have been in the system between the dates of May 9 to June 10.
The three programs affected continue to operate but with the public-facing websites down, new applicants must contact administrators directly to register.
“This is not as efficient, but these temporary measures will enable potential health-care workers the opportunity to continue to apply and come work in our province,” said Health Minister Adrian Dix.
HEABC said it didn’t know what the total costs will be to address and remedy the cybercrime. It said affected individuals will be offered free fraud and identity protection services for two years.
McMillian declined to divulge how hackers gained access to the system.
“I can’t reveal any details of the actual cybersecurity incident at this point. It is still an active investigation, including law enforcement,” he said.
The Health Employers Association is the bargaining agent for 200 publicly funded health-care employers, representing 170,000 unionized workers including physicians, nurses, health science workers and paramedics.