Newfoundland and Labrador's largest health authority is reporting a privacy breach affecting thousands of its employees, including the loss of sensitive data like social insurance numbers, names and employee numbers.
Eastern Health said a USB flash drive containing a spreadsheet of employees' personal information went missing sometime between last Wednesday and Friday.
At a news conference Friday morning, CEO David Diamond said the health authority spent the last few days searching for the drive, tearing apart their offices.
Of the 9,000 people whose information was on the flash drive, 3,300 staff with surnames starting with letters P-Z had social insurance numbers included in the information spreadsheet.
The remaining 5,700 employees had their names and employee numbers breached.
"On behalf of Eastern Health, I want to publicly apologize to our employees whose personal information was on the missing flash drive," president and CEO David Diamond said in a statement.
Lost, not stolen
The USB drive was last used on June 17 in an office within Eastern Health's human resources department, and was reported missing two days later.
Diamond said they believe the USB is lost and not stolen, adding there is nothing to suggest that the information on the USB drive will be used for a fraudulent purpose.
Employees can access credit reports free-of-charge, the news release said.
Following the breach, Eastern Health said it plans to "upgrade its anti-virus platform so that USB drives will be automatically encrypted before use."
Eastern Health said it will start calling the employees whose social insurance numbers were on the flash drive. The remaining employees will be sent a letter beginning next week.
Privacy commissioner stepping in
Diamond said 30 workers have been tasked to work full-time to make the calls to the impacted employees.
"Eastern Health is co-operating fully with our investigation, and they are taking appropriate steps to respond to the breach," said a spokesperson from the Office of the Information and Privacy Commissioner.
"We will remain in close contact with Eastern Health officials as our investigation moves forward."
The spokesperson added the office hopes to provide recommendations to the health authority once the investigation is complete.
Under the new access to information law, the privacy commissioner no longer needs an official complaint before launching an investigation.
This breach marks the first time the watchdog will use that power.