Here's what to do if data belonging to a deceased loved one was stolen in the N.L. cyberattack

·4 min read
Thousands of people have had their data stolen in the cyberattack on the Newfoundland and Labrador health-care system. (Jonathan Hayward/Canadian Press - image credit)
Thousands of people have had their data stolen in the cyberattack on the Newfoundland and Labrador health-care system. (Jonathan Hayward/Canadian Press - image credit)
Jonathan Hayward/Canadian Press
Jonathan Hayward/Canadian Press

Personal information belonging to thousands of employees and patients — including those who are now deceased — was taken in the late-October cyberattack on the Newfoundland and Labrador health-care system, leaving lingering questions from victims about what to do next.

The provincial government is providing free credit-monitoring services to anyone whose information has been taken and will be individually contacting over 1,200 living patients whose social insurance numbers have been stolen.

But for Krista Nugent-Thomas, it's not clear how to handle her deceased husband's records.

Nugent-Thomas says she became concerned that information belonging to her late husband — including his social insurance number — may have been stolen, but told CBC News she encountered hurdles when trying to figure out next steps on his behalf.

"They're really not giving very much … to the public, certainly, definitely not to anyone who is looking for information for deceased individuals," Nugent-Thomas said.

The social insurance numbers of 2,541 patients were leaked in the attack. More than half of them belong to patients who are now deceased.

The government will be contacting the living patients individually, but has so far not said if it will be contacting the next-of-kin of deceased individuals. However, spouses of deceased individuals are able to avail of the free credit monitoring services the provincial government is offering through Equifax.

Nugent-Thomas said she called the Newfoundland and Labrador cyberattack hotline, and was told the government would not be contacting next-of-kin of deceased individuals to let them know if their loved one's social insurance number has stolen.

There is no way for Nugent-Thomas to know for sure if her husband's information has been stolen, and she said she's worried that someone could cause problems for his estate.

"When something like this is added on top of everything else that comes with the loss of a spouse, it's incredible how much stress that it can add," she said.

Taking precautions

In a statement, a spokesperson for Eastern Health said more than 8,000 of its current and former employees, and nearly 800 members of the public, have enrolled in the credit monitoring through Equifax.

The spokesperson said it costs $46 per activation code to provide five years of credit monitoring to any employee or patient whose social insurance number was taken in the attack, and $12.35 per activation code to provide two years of credit monitoring to all other patients.

Each regional health authority is paying for credit monitoring for its own respective employees, while Eastern Health is footing the bill for patients across the province.

Just because a person has died does not mean their identity can no longer be stolen, said Al Antle, executive director of Credit Counselling Services of Newfoundland and Labrador.

"If you can negotiate a loan in a deceased person's name and you just disappear, then nobody knows anything as to what's happened until somebody goes looking for the deceased person and discovers that they are, in fact, deceased," Antle said.

Antle said there are actions people should take to protect the identity of a deceased person if they were a victim of the cyberattack.

After someone dies, their social insurance number can still be used for estate purposes. Service Canada does not require deaths to be reported, but it does recommend informing its SIN program to reduce the risk of fraud.

A deceased person's final income tax return should help prevent that person's identity from being stolen, said Antle, but it's also a good idea to let the major credit bureaus, TransUnion and Equifax, know that the person has died.

Bruce Tilley/CBC
Bruce Tilley/CBC

"That, in my estimation, is best achieved by a letter from the executor, accompanied by a copy of the funeral director's statement," Antle said.

In its statement, Eastern Health noted that if a credit file is locked, it will no longer need to be monitored.

In Antle's view, the provincial government and the regional health authorities have done a good job of handling the information theft. He said people affected by the data breach should take the necessary precautions to protect their data.

"I would also venture to guess that within six months to a year, there will be incidents where people have their identities stolen or there are questionable financial transactions happening in their financial world that they can't explain," he said.

Read more articles from CBC Newfoundland and Labrador

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting