News release

Update on MOVEit Data Breach

Cyber Security and Digital Solutions

The Province has identified more records stolen in the MOVEit cyber security breach. The breach extends to some members of the public and more members of the public service, including:

  • about 55,000 records of past and present certified and permitted teachers in Nova Scotia, including name, address, date of birth, years of service and educational background. The information does not include social insurance numbers or banking information. The list includes people born in 1935 or later.

  • about 26,000 students, aged 16 years and older, including date of birth, gender, student ID, school, civic address and mailing address. This information was in the database because it was shared with Elections Nova Scotia.

  • about 5,000 short-term accommodations owners in the Tourist Accommodations Registry. The information stolen included name, owner’s address, property address and registration number.

  • about 3,800 people who applied for jobs with Nova Scotia Health, including their demographic data and employment details. Social insurance numbers were not included.

  • about 1,400 Nova Scotia pension plan recipients. Their names, social insurance numbers, dates of birth and demographic data were stolen.

  • 1,085 people issued Halifax Regional Municipality parking tickets. Names, addresses and licence plate numbers were stolen.

  • about 500 people in provincial adult correctional facilities; name, date of birth, gender, prisoner ID number and status in the justice system were stolen.

  • about 100 Nova Scotia Health vendors, including product and pricing information. Vendors’ banking information does not appear to be included.

  • 54 people issued summary offence tickets; names, driver’s licence numbers and dates of birth were stolen.

  • 54 clients of the Department of Community Services, including names, addresses, client ID and transit pass photos.

The Province has also identified the impact of the privacy breach in the healthcare system:

  • about 1,330 people in the Department of Health and Wellness client registry, including name, address, date of birth, and health card number.

  • at least 150 people in the Department of Health and Wellness provider registry, including doctors, specialists, nurses and optometrists. Assessments are ongoing. The information taken includes names, addresses and dates of birth. It does not include social insurance number or banking information.

  • about 60 people with the Prescription Monitoring Program, including names, addresses, dates of birth, health card numbers and personal health information.

  • 41 newborns born between May 19 and 26. Information stolen includes last name, health card number, date of birth and date of discharge. Parents will be notified.

Moving forward, it will be challenging to estimate the number of individual Nova Scotians affected because some of the records may belong to the same people. For example, someone who is a certified teacher could be working as a civil service employee and have received a parking ticket. The government’s priority is to assess the extent of the breach and notify those impacted.

Staff across all government departments are going through the stolen files, prioritized in order of risk to Nova Scotians. Anyone whose sensitive personal information was stolen will receive credit monitoring and fraud protection services. Details will be shared in the notification letters to individual Nova Scotians, which the Province intends to begin sending as soon as next week.

“I know that providing more detailed information will cause more concern and questions. No individual or organization is immune from cyber threats or theft,” said Cyber Security and Digital Solutions Minister Colton LeBlanc. “I strongly encourage Nova Scotians to reach out to their financial institution to flag the risk. We will continue to provide updates on what we are learning through our investigation.”

Quick Facts:

  • MOVEit was taken offline June 1 for a security update, then taken offline again on June 2 for further investigation; it has been updated and additional monitoring is in place
  • scammers often use incidents like this to prey on people; the Province will not ask for social insurance numbers, MSI numbers, banking information or money when it notifies impacted Nova Scotians
  • in general, Nova Scotians who think they have been hacked should immediately change passwords and update any versions of browsers, apps and software available for their devices
  • people should also watch their banking and credit card records and consider notifying their financial institutions

Additional Resources:

Updates and information on this breach, including advice for potential victims, is available at: https://novascotia.ca/privacy-breach/

People can get information on protecting their social insurance number and what to do if it is stolen at https://www.canada.ca/en/employment-social-development/services/sin/protection.html or by calling 1-866-274-6627

General cyber-safety information is available at: https://www.getcybersafe.gc.ca/en

NOTE: Civic and mailing addresses were added June 9, 2023, to the list of students' information that was stolen.