Skip to content

Cyberattack on B.C. health websites may have taken workers' personal information

The information could include social insurance numbers, email addresses, passport and licence details and other personal data. 
2023080115080-64c956e53da55e2d4c917fbfjpeg
B.C. Health Minister Adrian Dix speaks during an announcement, in Vancouver, B.C., Friday, June 9, 2023. THE CANADIAN PRESS/Darryl Dyck

VANCOUVER — A cyberattack in British Columbia may have compromised the personal information of thousands of health-care workers, including those the province is trying to recruit to fill much-needed jobs. 

The Health Employers Association of British Columbia said Tuesday that the attack was on three websites it hosts, and personal information associated with 240,000 email addresses of health-care workers may have been seized. 

Michael McMillian, CEO of the association, said the information could include social insurance numbers, email addresses, passport and licence details and other personal data. 

He said the affected server hosted websites for Health Match BC, the BC Care Aide and Community Health Worker Registry, and the Locums for Rural BC program.

"I sincerely regret this event happened, and want to reassure everyone that we are working with cybersecurity and privacy experts to address the incident, safeguard against future attacks and notify and support individuals whose personal information may have been involved," he said at a news conference.

McMillian said the association will reach out to everyone whose information may have been compromised over the next few days to offer them two years of monitoring by the credit agency Equifax. 

Investigators cannot “conclusively determine” which information may have been stolen but caution demanded that they assume all information on the affected server had been compromised, he said, although no health records were obtained.

One of the compromised sites was used to recruit physicians, registered nurses and other health professionals on behalf of health employers. The others helped with vacation coverage for rural doctors and registered care aides working in places including long-term care facilities.

For now, anyone wanting to register for the programs won't be able to do so online but can contact the programs directly, McMillian said. 

Health Minister Adrian Dix said the government was determined not to let the attack affect recruitment.

He said that "obviously there's an impact" when authorities had to inform people that their information may have been compromised and to offer them protection.

"But we also know that people want to come and work in B.C. We have a very successful program to reach out."

Dix said the government is focused on tackling staffing challenges in health care.

"I assure everyone considering applying that your information will be protected. HEABC is committed to strengthening their IT security protocol and has put in place the necessary resources to support everyone potentially affected by this attack in the weeks and months to come." 

McMillian said they learned of the hacking on July 13 as part of "ongoing monitoring" and later established that the hackers were “in the system” from May 9 to June 10. 

He said the organization has not been contacted by the perpetrators. 

McMillian said police, the Office of the Information and Privacy Commissioner for B.C., the Health Ministry and the Canadian Centre for Cybersecurity have been informed of the breach. 

He said the potentially compromised information has all been transferred to a “clean server” with extra security.

Dix said all existing users of the programs have access to their accounts through temporary websites set up on the clean server.

The Health Employers Association is the bargaining agent for 200 publicly funded health-care employers, representing 170,000 unionized workers, including physicians, nurses, health science workers and paramedics.

This report by The Canadian Press was first published Aug. 1, 2023. 

Ashley Joannou, The Canadian Press