Personal data tied to over 30,000 current and former health-care workers in Nova Scotia may have been accessed during a recent security breach through their pension plan.

Members are now being advised to sign up for a credit monitoring and fraud protection service.

In a series of notices that were posted online last month , the operators of the Nova Scotia Health Employees' Pension Plan said it was possible for data on a third-party email server to be accessed over a two-month period, from Nov. 25, 2020 to Jan. 25, 2021.

"NSHEPP takes individual privacy and security seriously and we apologize to our members and employers for this situation," reads the initial notice, dated Feb. 12.

The type of personal information that could have been accessed includes names, addresses, dates of birth, social insurance numbers, salaries, dates of hire, termination or retirement, and other personal information related to administration of the pension plan.

Investigators don't know what was taken

In another notice, posted Feb. 19, the plan operators said the third-party email vendor, Accellion, investigated the breach but could not determine if any of the members' information had actually been accessed or copied.

"Out of an abundance of caution, we are working on the assumption that all data stored during this period was potentially accessed," the notice said.

According to the pension plan's website, it is one of the largest registered pension plans in Nova Scotia, with over 30,000 active members, including 11,000 pensioners who get a monthly income cheque.

One of those pensioners, Reva Sweeney, learned about the issue on Friday when a letter arrived at her New Waterford home. Sweeney, 70, is a retired certified nursing assistant.

"I opened it and I was quite, well, perplexed and alarmed," Sweeney said in a phone interview.

Sweeney said she's concerned that if her name, address, date of birth and social insurance number have fallen into the wrong hands, her personal finances are at risk.

"If they can access your bank account, there goes your money," she said.

Credit monitoring, fraud protection services offered

In its online postings and in the letter Sweeney received, the operators of the plan urged members to sign up for credit monitoring and fraud protection through Equifax — an agency the pension plan has contracted for one year of service for its members.

Sweeney said she's glad to see steps were taken to protect members, but she's leery about signing up for the service.

Equifax, headquartered in Atlanta with a Canadian office in Toronto, is a credit bureau that has been contracted by the NSHEPP to provide credit monitoring and fraud protection for one year. (Mike Stewart/The Associated Press)

"They want you to put in that form the same information that is compromised … that's a concern. So I think for now, myself, personally, I'm just going to keep an eye on my own transactions and bank accounts," she said.

Sweeney's letter is dated Feb. 26 — two weeks after the initial notice was posted online. She said she hasn't looked at the pension plan website in years.

"They must realize most of us don't go on their site daily or monthly or weekly to check it. I think we should have been informed either through the media or through this letter ... as soon as they were informed or very shortly after.

"I think the length of time before we actually found out is — it's upsetting."

CBC has reached out to Nova Scotia Health Employees' Pension Plan for comment and has not yet received a response.

Email server shut down

According to its public notices, the pension plan shut down the compromised email server immediately after learning about the breach and started using a temporary secure file sharing program through SharePoint. It was already in the process of transitioning to a new email system with "more rigorous security features," scheduled for launch later this year.

An independent investigator is looking into the incident.

