Vancouver, BC - On May 21, data stored on the computer systems supporting Vancouver Coastal Health's (VCH) Employee & Family Assistance Program (EFAP) were encrypted by ransomware, a form of malicious software. VCH immediately activated its cyber-attack response, engaged external cybersecurity experts to help conduct a comprehensive investigation, and reported the incident to the Office of the Information & Privacy Commissioner.
The investigation of this cyber-attack is now complete and there is no evidence any data has been removed or misused from EFAP computers. The last five years of the client database has been fully restored up to February 2020 - partial client data has been restored from March to May 2020.
If you would like to speak to someone, please contact our call centre at 1-800-505-4929. You can also reach us by email at email@example.com.
1. What happened?
We are deeply concerned about our clients who were affected by this cyber-attack. During COVID-19, our EFAP staff was granted remote access so they could continue to provide virtual care to clients during the pandemic - this may have created some vulnerability to our computer system during the cyber-attack.
On May 21, data stored on the IT systems supporting the Employee & Family Assistance Program (EFAP) were encrypted by ransomware, a form of malicious software. Encryption is a process that encodes (scrambles) a file so that it is inaccessible and can only be read if it is decrypted (unscrambled).
We take this very seriously. In response, VCH immediately activated our cyber-attack response and engaged external cybersecurity experts to conduct an IT forensic investigation. The EFAP computer systems were managed by an independent IT contractor outside the VCH network to maintain privacy and confidentiality.
We have since brought the EFAP computer systems into the VCH Information Management and Information Technology network for ongoing oversight and security protection. We also activated established business continuity protocols to ensure we were able to continue to support EFAP clients safely, reliably and without interruption. The cyber-attack was immediately reported to the Office of the Information & Privacy Commissioner.
We have restored the last five years of our client database (partial client data from March to May 2020). There is no evidence that any data was removed from EFAP systems during the cyber-attack.
VCH is reaching out to clients who used EFAP services between 2015 to 2020 to make them aware of the cyber-attack and the steps we have taken to provide ongoing protection of our computer systems.
2. When did the incident occur?
The cyber-attack occurred on May 21, 2020.
3. Was EFAP able to recover all the data that was encrypted?
We have restored the last five years of our client database (partial client data from March to May 2020). There were historical files prior to January 2015 which we have been unable to recover.
4. How can VCH be sure that no client data was stolen? Is it possible the data was taken?
While we cannot absolutely rule out the possibility that some data was taken, there is no evidence that data was removed from the EFAP system.
5. Who do I call if I have concerns about my EFAP data?
We have set up a dedicated call centre to provide clients with the support they need, by phone and email. We encourage you to contact us by phoning our call centre at 1-800-505-4929 emailing us at firstname.lastname@example.org.
6. How many clients may have been affected?
The cyber-attack resulted in the encryption (scrambling) of approximately 30,000 client files. There is no evidence that any data was removed from EFAP systems.
7. Who uses EFAP services provided by VCH?
The Employee and Family Assistance Program provides a suite of confidential counselling, wellness and related services to employees and family members of participating health organizations.
8. What type of data was stored on the affected systems?
The data includes demographic information such as client names, addresses, phone numbers, gender and dates of birth. The data also includes other personal information contained in client files related to health and wellness services. There is no evidence that any data was removed from EFAP systems.
9. Should clients be concerned about their personal data?
Vancouver Coastal Health is committed to strong privacy and security control. We take this type of cyber-attack very seriously and took immediate steps to activate our cyber-attack response and engaged external cybersecurity experts to help us investigate and respond.
There is no evidence that any data was removed from EFAP systems during this incident. We are offering free credit monitoring services to impacted individuals as an additional precautionary measure.
10. How are clients being supported?
Although we have not identified any evidence that your information was removed or misused, we are offering credit monitoring protection to you, including identity theft insurance of up to $50,000, for one year, at no cost.
If you have questions about this incident, we encourage you to contact us by phoning our call centre at 1-800-505-4929 or emailing email@example.com.
11. Why is VCH offering impacted stakeholders credit monitoring if no data was stolen?
Although there was no evidence that data has been removed from EFAP computers, as a precautionary measure, we are offering all impacted individuals who we could identify credit monitoring services for a year at no cost.
12. I've received an email about the cyber-attack. How can I be sure this is not a spam email?
Clients will receive an email from firstname.lastname@example.org, which includes information about activating credit monitoring services. We want to assure you that this is a legitimate email from EFAP and that the information is valid. Informing those who have accessed our program? is of upmost importance to us. We are reaching out to clients to make them aware of the cyber-attack and the steps we have taken to provide ongoing protection of our computer systems.
13. Has there been any disruption to employee and family assistance?
No, we are committed to the health and safety of employees and families and continue to provide employee and family assistance 24/7 through our main phone line at 1-800-505-4929.