Notice of Privacy Incident – Homewood Health
As set out in the notice of July 23, 2021, Homewood’s Employee and Family Assistance Program was the victim of a cyber security incident involving unauthorized access to its computer systems. An exhaustive investigation has been completed with the assistance of a leading national cyber-security firm.
Description of Incident
The data incident involved unauthorized access to some personal information of certain employees and their family members related to Employee and Family Assistance Program (EFAP) services. Homewood Health took immediate steps to contain the incident and to ensure that its systems were secure.
Nature of the information that was affected
Records include limited personal information, such as name, date of birth, email address or telephone number. In some cases, the records include the type of service accessed or issue addressed or other information relating to the services provided.
Note that as part of their EFAP services, it is not Homewood’s practice to collect government issued ID numbers such as health card numbers, driver’s license, SIN numbers, financial or banking information, insurance or benefit plan numbers.
Steps taken to mitigate and prevent reoccurrence
With the support of external cyber security and privacy experts, Homewood Health took immediate steps to contain the incident and has been working closely with these experts to support Homewood Health’s investigation, assessment, and continued remediation efforts. Homewood Health also took steps to verify that data accessed was securely destroyed.
Since taking these measures, there has been no evidence of any disclosure or misuse of this information. Based on efforts undertaken by Homewood Health and its third-party cyber security experts, it is believed such risk is low. Homewood Health will continue to monitor the situation closely.
Homewood Health notified privacy regulatory authorities and law enforcement agencies and is following their guidance and direction.
Homewood Health has taken a number of additional steps to further strengthen their systems, including:
- user and administrative account passwords were changed and augmented
- several systems upgrades and additions were made to ensure best practice protection and detection are in place
- Homewood Health introduced enhanced security training for its staff, with regular refreshers and recertification, as well as ongoing tests and adherence monitoring
How can individuals find out if their information was affected?
Homewood Health is activating on January 31, 2022, a confidential inquiry line as well as supports for impacted clients (Employees/Family Members). Any individual who has used their EFAP services can find out whether their information was affected by calling the confidential inquiry line at 1-833-787-2862 or they may submit an inquiry using the online form. Homewood Health is offering identity and credit monitoring protection to any individual whose information has been affected.
Protecting the confidentiality and privacy of personal information has always been one of the cornerstones of Homewood Health’s business. Homewood Health has implemented additional monitoring and security measures to further strengthen their cyber security protections against illegal activity.
Information about the incident will be posted on Homewood’s website beginning next week, and a notice will appear in a national newspaper.