Privacy breach alerts and information

Last updated: 3 August 2023 at 2:20 pm

Alerts and information about the privacy breach in June 2023.

Government of Nova Scotia and other users were informed about a vulnerability with a file transfer service called MOVEit (the service allows information to move efficiently within government and to our partners).

MOVEit is a vendor-provided secure file transfer service that’s used around the world by hundreds of thousands of users, not just in government but in the private sector as well.

We know that personal information of many employees of Nova Scotia Health, IWK Health Centre and the public service was stolen. The breach also extends to some members of the public.

Moving forward, it will be challenging to estimate the number of individual Nova Scotians affected because some of the records may belong to the same people. For example, someone who is a certified teacher could be working as a public service employee and have received a parking ticket. The government’s priority is to assess the extent of the breach and notify those impacted.

If government notifies you about the breach

If government notifies you about your information being impacted in the breach, we won’t ask for your health card, social insurance number, banking information other personal information or money. Sometimes there are phishing or scam attempts that try to use a privacy breach to steal additional information. Be safe and don’t share your personal information if asked.

If you receive a letter addressed to someone who has passed away, there are steps you can take to help make sure their identity can't be accessed by criminals. You should notify the federal government of the death if you haven’t already.

  1. Aug

    2 August 2023

    • Notification letters sent to 158 people in the Department of Health and Wellness client registry (newborn registrations) who were impacted by the privacy breach in the healthcare system.
    • Notification letters sent to 795 people in the Department of Health and Wellness client registry (data quality reports) who were impacted by the privacy breach in the healthcare system.

    Jul

    28 July 2023

    • Notification letters sent to 99 people in the Department of Health and Wellness client registry (change of address) who were impacted by the privacy breach in the healthcare system.
    • Notification letters sent to 371 people with the Prescription Monitoring Program who were impacted by the privacy breach in the healthcare system.

    26 July 2023

    • Notification letters sent to 8,103 people with water and tax bill accounts in the Region of Queens Municipality who were impacted by the privacy breach.
    • Notification letters sent to 383 people in provincial adult correctional facilities who were impacted by the privacy breach.
    • Notification letters sent to 245 people in provincial adult correctional facilities who were impacted by the privacy breach.

    20 July 2023

    • Notification letters sent to 15,393 employees of regional centres for education and of the Conseil scolaire acadien provincial who were impacted by the privacy breach.
    • Notification letters sent to 515 employees of regional centres for education and of the Conseil scolaire acadien provincial who were impacted by the privacy breach.

    18 July 2023

    • Notification letters sent to 178 Nova Scotia pension plan recipients who were impacted by the privacy breach.
    • Notification letters sent to 2 students who were impacted by the privacy breach through a Department of Labour, Skills and Immigration file.

    14 July 2023

    • Notification letters sent to 865 people issued Halifax Regional Municipality parking tickets who were impacted by the privacy breach.

    13 July 2023

    • Notification letters sent to 12,825 employees of regional centres for education and of the Conseil scolaire acadien provincial who were impacted by the privacy breach.

    12 July 2023

    • Notification letters sent to 12,320 employees of regional centres for education and of the Conseil scolaire acadien provincial who were impacted by the privacy breach.

    11 July 2023

    • Government is starting an additional notification process for people impacted by the MOVEit cyber security breach. During this phase, notification letters are sent to Nova Scotians who have had less sensitive personal information stolen (they won’t receive credit monitoring and fraud protection because there’s a very low risk of identity theft or fraud).

      Less sensitive information can include names, addresses, license plate numbers and email addresses. Though that data is personal, it doesn’t pose the same risk of harm as stolen social insurance numbers and banking information, which criminals can use to steal someone’s identity.

    4 to 7 July 2023

    • Notification letters sent to 9,483 employees of Nova Scotia Health who were impacted by the privacy breach.
    • Notification letters sent to 730 employees of the Conseil scolaire acadien provincial who were impacted by the privacy breach.
    • Notification letters sent to 12,300 employees of regional centres for education who were impacted by the privacy breach.
    • Notification letters sent to 3,872 employees of the IWK Health Centre who were impacted by the privacy breach.

    Jun

    27 to 30 June 2023

    • Notification letters sent to 30,000 employees of Nova Scotia Health who were impacted by the privacy breach.

    26 June 2023

    • Notification letters sent to 10,000 employees of Nova Scotia Health who were impacted by the privacy breach.

    23 June 2023

    • Notification letters sent to 13,385 public service employees who were impacted by the privacy breach.
    • Notification letters sent to 153 employees of the IWK Health Centre who were impacted by the privacy breach.

    20 to 21 June 2023

    • Notification letters sent to 880 Nova Scotia pension plan recipients who were impacted by the privacy breach.

    20 June 2023

    • Notification letters sent to the 5 students who were impacted by the privacy breach through a Department of Labour, Skills and Immigration file.

    16 June 2023

    • Government started the notification process for people impacted by the MOVEit cyber security breach.
    • Notification letters sent to 52 clients of the Department of Community Services who were impacted by the privacy breach.

    14 June 2023

    • Government is making significant progress in identifying groups of people and organizations impacted by the MOVEit cyber security breach. The investigation is in the early stages of identifying the individuals affected and notification letters will start going out at the end of the week.
    • Government has identified more members of the public and more members of the public service impacted by the breach.

    9 June 2023

    6 June 2023

    • Government has determined that the personal information of many employees of Nova Scotia Health, IWK Health Centre and the public service was stolen (information includes social insurance numbers, addresses and banking information). The amount and type of information stolen depends on the employer.
    • The investigation has not yet determined an exact number, but initial estimates suggest as many as 100,000 present and past employees are impacted.

    4 June 2023

    3 June 2023

    • Government confirmed that some Nova Scotians’ personal information had been stolen. Government is working to determine exactly what information was stolen and how many people have been impacted.

    2 June 2023

    • Government became aware that further investigation was needed. Government took the system offline again and started to investigate. IBM cybersecurity experts were also called in to help.

    1 June 2023

    • Government identified a vulnerability with MOVEit. Government took the system offline and installed a security update as instructed, then brought the service back online.

News releases

Latest news releases and announcements:

Protecting your information

Cybersecurity is an issue for everyone, regardless of whether you are impacted by this breach or not. Steps you can take to protect yourself include:

  • only install applications on your devices from well-known companies
  • never share your password, always create strong passwords and use multifactor authentication where possible
  • monitor your financial accounts and check your credit information regularly with TransUnion or Equifax
  • limit your public computer use to non-sensitive transactions (and remember to log out of public computers when you finish using them)

If you’re worried about your personal information:

  • contact your financial institution and any other companies to let them know that your personal information may be compromised
  • contact TransUnion or Equifax and ask to have a fraud alert placed on your credit report (lenders need to contact you and confirm your identity before they approve any application for credit if a fraud alert is on your credit report)

For information on what to do if your social insurance number is compromised and how to protect it, visit Protecting your SIN or call 1-866-274-6627.

Follow us

Related information