A report released by Nova Scotia’s Information and Privacy Commissioner today has found the provincial government failed to take necessary precautions before a major cyberattack in 2023 that exposed personal data, including social insurance numbers, health records, and banking information.

The breach occurred when hackers exploited a vulnerability in MOVEit, a file transfer system used by the government to manage large amounts of data. The Commissioner’s investigation determined that before launching the system, the province did not conduct a privacy impact assessment, a standard process to identify risks. Additionally, the government lacked clear policies on data retention and disposal, which may have worsened the extent of the breach.

While the government acted quickly to contain the attack and notify those affected, the report noted several shortcomings in its response. Many notification letters contained unclear information, adding to public confusion, and some individuals never received notices due to outdated contact records. The Commissioner also criticized the government’s lack of transparency, calling for a clearer public plan on how cybersecurity risks will be addressed in the future.

The report outlines eight recommendations to strengthen privacy protections, including improving security safeguards, ensuring up-to-date contact records, consulting the Privacy Commissioner before issuing breach notifications, and making the government’s cybersecurity response plan public. The province has 30 days to determine whether it will implement the proposed measures.