Canada Health Breaches Leak Buckets of Private Health Data

august 31, 2021 | data breach
doctor sitting with patient

Of all the data breaches in all the world, perhaps none will ever be more sensitive or alarming than leaks involving private health information (PHI). When the stolen information is mental health data on thousands in British Columbia, Alberta and Nova Scotia, the crime rises to the level of a data disaster. It all traces back to an Ontario-based mental health service provider.

Homewood Health reported the loss in late July but added that the breach began early this year. The company offered no figures on the number of employees and families involved at the many agencies it serves. While their corporate website hosts an entire page of health data privacy guidance, a public statement about the breach has yet to be posted.

Homewood operates offices in Vancouver, Calgary, Edmonton and Mississauga plus other locations and employs 4,500 workers to run its mental health clinics and addiction treatment centers nationwide.

It appears that Homewood received a heads up from hackers after the breach; such notice is usually a request for ransom funds to keep the data private.


The leak, which is still under investigation, was revealed by a professional data security researcher. It's common for good guys in the field to search the Dark Web for new posts, and data leak packages up for sale then alert the businesses involved. In this instance, data appeared for sale on Marketo, an easy-to-access marketplace that sells hacker goods and information.

Some Homewood workers were probably victims, but other groups, including BC Housing employees, could suffer too. The Provincial Health Services Authority and TransLink were also mentioned for that province.

In addition to BC entities, groups in Alberta who contracted with Homewood include the Workers' Compensation Board of Alberta, several small cities and two universities. The National Energy Board also known as the Canadian Energy Centre, has been cited as a client as well.

In Nova Scotia, the Halifax Public Libraries, another Homewood Health client, has already spotted some employee data released onto Marketo's website. However, it appears the breach didn't involve any library patron data.

Why all the Concern?

This sort of breach creates significant worries. If mental health documents for patients of outpatient clinics or residential treatment centers become public, the risks are broader than for most data losses. Financial fraud can occur if hackers can tap leaked payment data. However, this breach carries an additional, highly sensitive risk. Some experts are concerned about subsequent blackmail, which could follow if addiction or mental illness details get into the wrong hands. According to one non-profit breach reporting site, intruders stole actual counseling session notes, and those documents raise the stakes sky high. Since many victims appear to work for government agencies or non-profit groups, info on some key individuals could be part of the hacker haul.

Victims must closely monitor all their PHI and review their primary financial data. Check credit reports for significant changes that could warn of fraud. It's also intelligent for clients to review all the data Homewood held in its files to rule out additional risks. IDShield Canada can do most of the monitoring work for you. If you don't know where to begin, our expert staff can consult with members to develop a comprehensive response plan.


IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.

Learn more about protecting yourself against identity theft