Notice: MOVEit vulnerability
October 11, 2023 – Green Shield Canada, an entity within the broader GreenShield enterprise, uses MOVEit, a leading third-party file transfer service, to securely move information with, and between, select clients and organizations that assist us in delivering benefits to our members. Green Shield Canada has been working diligently with external cybersecurity experts to confirm if there was any impact to Green Shield Canada systems as a result of the global MOVEit software vulnerability.
The investigation has concluded and shows no indication of any access to or impact on our IT systems, other than the targeted MOVEit Transfer application. Upon notification by MOVEit we promptly implemented MOVEit’s recommended measures to address the vulnerability and further secured our own file transfer protocols. GreenShield Health (i.e. Inkblot, Tranquility, BCH Consultants and The Health Depot) is not impacted by this situation.
We have now determined that a subset of files containing personal information, transferred through the MOVEit file transfer service, may have been accessed, impacting some of Green Shield Canada’s plan members. However, Green Shield Canada has been closely monitoring this situation and have found no evidence of any data involved in this incident being disclosed or misused.
Action Green Shield Canada is Taking
Green Shield Canada is directly notifying individuals whose data was contained in these files of this incident. Out of an abundance of caution, we are providing these individuals with complimentary credit monitoring and identity theft protection services through Equifax, so they can be proactive – there is no indication of this data being misused. These services are specifically designed to assist impacted individuals in safeguarding their personal information. Details on how to access and utilize these services is provided in the notification.
Green Shield Canada remains committed to the security and trust of our stakeholders and appreciates plan members’ patience, support, and cooperation.
If a Green Shield Canada plan member has not received a notification from Green Shield Canada, there is no action to take or need for concern.
In June 2023, Green Shield Canada initiated an investigation into the impact of a software vulnerability within MOVEit, a third-party file transfer system used for exchanging select client and stakeholder information for Green Shield Canada. The software vulnerability was exploited, resulting in a cyberattack on MOVEit that impacted thousands of businesses worldwide that rely on this software.
Green Shield Canada has completed its investigation and concluded that limited data was captured via the MOVEit software, and not through any other part of Green Shield Canada’s network infrastructure. Further, GreenShield Health (i.e., Inkblot, Tranquility, BCH Consultants and The Health Depot) was not impacted. Throughout the investigation, timely updates were posted on greenshield.ca (https://www.greenshield.ca/en-ca/data-security) beginning on June 14, 2023.
A limited set of files transferred through the MOVEit file transfer service may have been accessed, impacting some of our plan members. While there has been no evidence of any plan member data being disclosed or misused, out of an abundance of caution, those within this group have been informed privately and provided with complimentary credit monitoring and identity theft protection services through Equifax.
If a Green Shield Canada plan member has not received a notification from Green Shield Canada, there is no action to take or need for concern.
Green Shield Canada retained external experts to assess whose data was impacted. That investigation is now complete, and those whose data was improperly accessed because of the vulnerability that was exploited have received direct communication from us.
While there has been no evidence of any plan member data being disclosed or misused, out of an abundance of caution these communications contain information from Equifax about how to access to two years of complimentary credit monitoring and identity theft protection services, to enable and encourage our members to be safe and proactive.
We appreciate your concern and understand your desire for timely information. Updates were posted on greenshield.ca beginning on June 14, 2023. Before contacting you directly, our priority was to conduct a thorough investigation to determine the extent of the incident and identify those who may have been affected. This process took some time as we needed to ensure accuracy and clarity in our notifications. Importantly, we can now confirm that our own networks remained secure and that a limited number of files transferred via MOVEit were impacted.
Green Shield Canada has concluded its investigation and is notifying affected individuals that some of their data may have been improperly accessed as part of the MOVEit cyberattack This group has been informed privately and, despite there being no evidence of any plan member data being disclosed or misused, out of an abundance of caution these communications, we have provided complimentary credit monitoring and identity theft protection services through Equifax.
If a Green Shield Canada plan member has not received a notification from Green Shield Canada, there is no action to take or need for concern.
Please note that Green Shield Canada has been closely monitoring the situation and has seen no evidence of any plan member data being disclosed or misused. If you have received a communication from Green Shield Canada regarding the MOVEit cyberattack, out of an abundance of caution, you should be proactive and follow the instructions in the letter to sign up for our offer of complimentary credit monitoring and identity theft protection services through Equifax. This service will be paid for by Green Shield Canada. For more information or assistance, contact Equifax at 1-800-871-3250.
Our investigation into this cyber incident confirmed that the vulnerability was limited to MOVEit’s software and did not affect our networks. We maintain robust security measures and have bolstered them further. We are also committed to proactive evaluation and improvement when it comes to data security so that the information of our plan members and their dependents is protected.
Green Shield Canada is committed to the security and trust of our stakeholders and appreciates plan members’ patience, support, and cooperation.
There are several steps you can take to safeguard your personal information and mitigate the risk of being a victim of cybercrime, including:
- Sign up for the Equifax Service: If you have been notified that your data was included in this attack on MOVEit, we strongly recommend you take advantage of our offer of two years of complimentary credit monitoring and identity theft protection services from Equifax.
- Monitor Your Accounts: Regularly review your financial and online accounts for any suspicious activity. Report any unauthorized transactions or concerns to the respective institution immediately.
- Change Passwords: As a precautionary measure, we advise changing your passwords for any online accounts associated with our services. Please choose strong, unique passwords and avoid reusing them across multiple platforms.
- Be Vigilant: We urge anyone who conducts business with us to remain vigilant and be cautious of any unsolicited emails, messages, or phone calls requesting personal information, particularly if they purport to be from Green Shield, unless you are expecting such communication from us. Exercise extra scrutiny when clicking on links or downloading attachments, as they may be attempts to deceive you into providing sensitive information.
- Obtain a Copy of Your Credit Report and Place a Fraud Alert on it: We have offered those impacted with complimentary credit monitoring and identity theft protection services from Equifax, and we encourage those individuals to contact Equifax and sign up for those services. If you were not impacted, you can still proactively call Canada’s two main credit reporting agencies to obtain a free copy of your credit report (if you want to access it online, you may be required to pay a fee). You can also have these agencies place a fraud alert on your credit report (this is also a free service). Once this alert has been added, lenders will need to contact you and confirm your identity before they approve any new application for credit:
Equifax Canada Co.
TransUnion
National Consumer Relations
P.O. Box 190
Montreal, QC H1S 2Z2
Attention: Consumer Relations Centre
3115 Harvester Road, Suite 201
Burlington ON L7N 3N8
(800) 465-7166
(800) 663-9980