October 19, 2022
Q. What happened?
A. St.Amant was the victim of an online attack. An unknown person or persons accessed our computer network (otherwise known as “hacking”).
Q. Why would someone do this?
A. We don’t know for sure. It’s possible they were planning something like a ransomware attack – by encrypting our own files and demanding a ransom payment for the decryption key. There are other common types of malware or attack, but the important thing to know is that no kind of attack was successfully carried out. No information was exfiltrated (stolen) from our network.
Q. When did this happen?
A. The unknown person or persons accessed our system on August 23, 2022.
Q. What did St.Amant do about this attack?
A. The breach was detected on August 30, 2022. We shut down access to the network and engaged a cybersecurity company to assist us with securing our information, removing anything the hacker may have placed in our system, and determining what happened. Since August 30 we have reset every staff person’s password and implemented stronger password requirements, we have implemented Multi-Factor Authentication (MFA), and we conducted a deep review in order to be able to provide you with the information above.
We also informed the Manitoba Ombudsman of this attack, and we will work with them going forward to review this incident and consider any further recommendations they may have.
Q. What kinds of information were at risk?
A. For a person who is or has received support from St.Amant, this could include: name, birthdate, contact information, referral information, assessments, diagnoses, treatment plans, progress notes, medications, appointment dates, billing information, personal health identification numbers, treaty numbers, and employment and income assistance numbers.
For a past or present staff member of St.Amant, this could include: name, birthdate, contact information, social insurance number, banking information, background checks, position, professional registration numbers, wages, deductions, staff photos, performance evaluations, letters summarizing meetings held, and personal health information shared with Occupational Health Services (including appointment dates and restrictions, but not diagnoses, specific medical notes, or instructions).
For a past or present volunteer with St.Amant, this could include: name, birthdate, contact information, information recorded on your government-issued identification, background checks, evaluations, and hours worked.
Q. If it doesn’t look like my information was stolen or ransomed, why are you telling me about this event?
A. We are legally required to inform you under The Personal Health Information Act (PHIA) and/or The Freedom of Information and Protection of Privacy Act (FIPPA) of Manitoba. More than that, we want to be transparent with you. For that week in time, this unknown person had access to any information we kept on our network drives. On these drives we kept the information we needed to do our jobs, and sometimes that included personal information or personal health information. We hope that no harm comes to anyone who was a victim of this breach, but we want you to have the information you need in order to protect yourself.
Q. Should I do anything to protect myself?
A. There are things you can do. This includes changing passwords in all parts of your life (personal, work, volunteer, etc.) and if possible using Multi-Factor Authentication (MFA) or a password manager. You can also look into identity theft protection services that can do things like monitor websites and databases for signs of your personal information, such as your social insurance number (SIN), driver’s license information, bank account numbers, etc. If you’re concerned about access to your personal health information, you can contact your care providers to ensure only people you trust have access to your records. You might also place a fraud alert on your credit files. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify that you have authorized the request.
Q. Who do I call if I have more questions?
A. You can contact our Privacy Officer if you would like more information:
Kristyn Dunn, CHIM
Coordinator, Health Information & Privacy
Health Information Services, St.Amant
440 River Road
Q. Who else can I contact if I am not satisfied with the response from St.Amant?
A. The Manitoba Ombudsman investigates complaints from people who have concerns about the protection of their personal information or personal health information. We have reported this breach to them and are working with them to review the situation. If you are concerned about the response from St.Amant, you can contact them at:
750-500 Portage Avenue
Toll Free: 1-800-665-0531
Q. What are you doing to protect my information, going forward?
A. We are committed to a deep review of the types of information stored on our network drive and how best to secure documents against snooping.
We will cooperate with the Office of the Manitoba Ombudsman as they review the incident and make recommendations.