37,800 people sent privacy breach notifications linked to N.L. cyberattack
Affected individuals include patients plus current and former employees
Newfoundland and Labrador's largest health authority has notified 37,800 people that their privacy was breached as part of last fall's devastating cyberattack.
That number equates to about one in every 13 people in the province.
And according to Eastern Health, it could go even higher.
Those affected include patients, along with current and former employees.
The Department of Health steered interview requests to Eastern Health, which did not make anyone available for an interview.
In October, cybercriminals rocked Newfoundland and Labrador's health-care system.
Information was stolen, lab results were inaccessible, and procedures and treatments were delayed.
Government officials have been tight-lipped about what happened, refusing to say whether it was a ransomware attack, or who was responsible.
The initial bad news spawned by the attack got worse in March, with the revelation that the scope of the breach was worse than originally thought.
More than 200,000 files had been taken from an Eastern Health network drive.
The health authority's CEO, David Diamond, said at the time that a review had been launched to determine how many people had been affected.
"We expect the number could be large, could be thousands of individuals at the end of the day between staff and patients," Diamond said March 30.
"But that'll become clear as we do the work over the next six to eight weeks."
- Cybersecurity framework still not finalized after 3 years, N.L. agency blames COVID for delay
- Long before N.L. cyberattack, report flagged flaws in system
Those weeks have now passed, and what was once "thousands of individuals" is, at this point, 37,800.
An emailed statement from Eastern Health suggested it could climb even higher.
"All clients who availed of an Eastern Health service at any time were impacted by the resulting breach of their personal health information," the health authority noted.
"Our investigation of the files associated with the breach of Eastern Health's shared drive is continuing. This review should give us a better idea of how many people are affected."
Officials did not respond to a followup message from CBC News seeking clarity on the statement that "all clients who availed of an Eastern Health service at any time were impacted."
Lee Kim, senior principal of cybersecurity and privacy for the U.S. non-profit Healthcare Information and Management Systems Society, says the breach underscores the importance of strong defences for IT operations.
"The harder you make it for attackers to compromise your systems, the lower it is for these cyberattackers to want to breach us," Kim said from Pittsburgh this week.
Anyone caught up in the attack should keep an eye on their medical and financial records, Kim added.
"You just need to be a little bit extra-diligent," Kim said.
To help with that, the province is offering free credit monitoring and identity theft protection services.
So far more than 21,000 people have inquired about signing up, according to Eastern Health.