Penny Daflos reports:
CTV News has learned the personal information of British Columbians has been leaked online, with an unknown number of people and agencies potentially still vulnerable, after a data breach at a mental health services provider.
Homewood Health, headquartered in Ontario with services and contracts across Canada, acknowledges it was hacked earlier this year and has recently begun contacting affected companies and agencies whose information may be compromised, including BC Housing, TransLink and the Provincial Health Services Authority.
Read more on CTV. The Marketo online auction site, which is available on both the dark web via Tor but also on clearnet, claims to have 183 GB of data with a small sample available online. They also claim to have 289 bids for the data, but that’s not something this site can verify.
DataBreaches.net was given access to sensitive data not on Marketo’s site and will be reporting on that more in the future. This site held off on reporting, hoping that Homewood Health would answer a few questions, but they have repeatedly ignored email inquiries from this site and tweets to its Twitter team seeking clarification on some points.
One of the points that DataBreaches.net sought clarification on is its duty to notify employees of any American companies who have contracted with it to provide counseling or wellness programs for employees. DataBreaches.net wrote to one Texas-headquartered client of Homewood Health’s to ask them whether Homewood would be notifying any affected employees or if they would be doing the notification themselves. They did not respond.
Another question is why so much personal and sensitive information appeared to be unencrypted (if it was unencrypted prior to the attack). There was apparently an outage at some point last March during which time calls and records were handled differently, but then why weren’t the files subsequently secured or transferred? DataBreaches.net saw .doc files and excel sheets with dozens and dozens of contact notes such as those in the two screencaps below. Both of the following have been redacted by DataBreaches.net but contained individuals’ full names, dates of birth, phone number, and other details.
In the first screencap, the contact involved an employee of Canada Post who was seeking counseling for their named child.
In the screencap below, the contact involved an employee of Costco who was seeking counseling for themself:
In many respects, this incident is somewhat reminiscent of the 1to1Help.net incident reported by this site in this past. Although that incident involved a data leak and not a breach, both incidents wound up with personal information and notes about counseling sessions publicly available.