Notice of Privacy Incident Affecting our Employee and Family Assistance Program Services

Homewood Health has now completed an investigation of a cyber security incident that occurred in March 2021 involving unauthorized access to personal information pertaining to some of our Employee and Family Assistance Program clients.

The records include limited personal information, such as name, date of birth, email address or telephone number and employer. In some cases, the records include the type of service accessed or other information relating to the services provided.

With the support of third-party cyber security and privacy experts, Homewood Health took immediate steps to contain the incident and has been working closely with these experts to support its investigation, assessment, and remediation efforts.  Homewood Health took steps to verify that data accessed was securely destroyed. Homewood Health also notified law enforcement, and relevant privacy commissioners across Canada.

Since taking these measures, there has been no evidence of any disclosure or misuse of this information.  Based on efforts undertaken by Homewood Health and its third-party cyber security experts, it is believed such risk is low.  Homewood Health will continue to monitor the situation closely.

Protecting the confidentiality and privacy of your personal information has always been one of the cornerstones of Homewood Health’s business. Homewood Health has implemented additional monitoring and security measures to further strengthen our cyber security protections against illegal activity. 

If you or a family member has used our Employee and Family Assistance Program services before April 1 2021, you (or your family member, as the case may be) can find out if you may have been affected by calling our Privacy Office at 1-800-265-8310 ext. 32443 (privacy@homewoodhealth.com) or click the link below to submit an inquiry using our confidential online form. If you or a family member have been affected, Homewood Health is offering two years of identity and credit monitoring protection for inquiries received by November 30, 2022.

We sincerely appreciate your understanding and regret any distress that this incident may cause.

What happened?

Homewood Health was the victim of a criminal cyber security incident that occurred in March 2021 involving unauthorized access to personal information pertaining to some of our Employee and Family Assistance Program (EFAP) clients. Homewood Health became aware that data from one of its file servers had been illegally obtained and was advertised for sale on a criminal marketplace. Homewood Health reached out to its customers in July 2021 when it discovered the incident and commenced an investigation.

With the support of third-party cyber security and privacy experts, Homewood Health took immediate steps to contain the incident and to verify that data accessed from Homewood’s systems was securely destroyed. Homewood Health has also notified law enforcement and privacy commissioners across Canada.

Homewood Health has continued to engage with cyber security and privacy experts and relevant authorities to support a thorough investigation and assessment of this incident and to guide its remediation efforts.  

How do I find out if I am affected?

To find out if you may have been affected, please complete our secure, confidential inquiry form or call the Privacy Office at 1-800-265-8310 ext. 32443 (privacy@homewoodhealth.com).

How does the confidential inquiry process work?

You will be asked to provide information to confirm your identity, such as name, employer, date of birth and contact information.

  • Please note that you can only inquire about your own personal information. If there is someone else who wishes to inquire, they must contact Homewood Health individually.
  • If you are acting as someone’s substitute decision maker or authorized representative, including on behalf of a minor, please contact our Privacy Office at 1-800-265-8310 ext. 32443 (privacy@homewoodhealth.com)

Once your identity has been verified, you will be advised whether or not your personal information has been impacted.

If calling through the confidential inquiry line, our agents can advise you right away. If your information has been impacted, you will receive written confirmation within approximately one week, including information about the incident, description of personal information affected, contact information, how to make a complaint, and information about identity and credit monitoring (for inquiries received by November 30, 2022).

If you are inquiring through our secure, online form, you will receive written confirmation within approximately one week. If your information has been impacted, you will receive information about the incident, description of personal information affected, contact information, how to make a complaint, and information about identity and credit monitoring (for inquiries received by November 30, 2022).   

What have you been doing since becoming aware of this incident?

Since becoming aware of the incident, Homewood Health has been focused on three goals. First, ensuring the privacy and security of our systems to make sure that your personal information is safe. Second, completing a comprehensive investigation to understand what happened and to determine those individuals that may have been affected so that we could begin the notification process. Third, enhancing Homewood’s processes, systems and training to protect against this type of attack in the future.

Did this incident affect other Homewood services beyond its EFAP services?

No. This incident only affected our EFAP services, and only for some individuals. There is no evidence of any unauthorized access to personal information relating to Homewood’s treatment facilities or any of the other programs and services offered by Homewood.

What is the risk now?

Homewood Health has implemented additional monitoring and security measures to further strengthen our cyber security protections against illegal activity. Homewood also took steps to verify that data accessed from Homewood’s systems was securely destroyed. Since containing the incident, there has been no evidence of any disclosure or misuse of this information. Homewood Health will continue to monitor the situation closely and will advise individuals should it change. Based on efforts undertaken by Homewood Health and its third-party cyber security experts, it is believed that the risk is low.

Is there risk of identity theft?

It is not Homewood Health’s practice to collect personal financial and government information such as social insurance numbers, credit card information and health card information as part of its Employee and Family Assistance Program services, which is the type of information that increases the risk of identity theft. However, if you or a family member have been affected and are concerned, Homewood Health is offering two years of identity and credit monitoring protection (for inquiries received by November 30, 2022).

What are you doing to protect affected individuals?

Homewood Health is offering two years of identity and credit monitoring protection to any individual who has been affected. Affected individuals who inquire by November 30, 2022 will be provided with an access code and instructions on how to activate this protection.

What are you doing to prevent this from happening again?

The privacy and protection of our clients’ information remains our top priority. Homewood Health has implemented additional monitoring, security measures and training to further strengthen its cyber security protections against illegal activity.

Why are you not contacting affected individuals directly?

There are several reasons why Homewood Health is not able to contact individuals directly. First, due to the confidential nature of EFAP services, there is a concern that reaching out directly to individuals could actually cause more harm. Receipt of a letter, email or phone call could itself breach someone’s privacy as it may allow family members or others to see that Homewood’s confidential services have been accessed. In extreme situations, there is potential that exposing this information at home could expose the client to physical or emotional risk. Second, Homewood has very limited contact information accessible through its EFAP services, and no way of knowing if the information is current or up to date. Given the unique circumstances, Homewood consulted with privacy commissioners in several jurisdictions who were supportive of this indirect notification approach.

What if I still have questions?

If you have additional questions regarding this incident, please contact our Privacy Office at 1-800-265-8310 ext. 32443 (privacy@homewoodhealth.com).