FYidoctors – Notice of Cybersecurity Incident
FYidoctors (“we”, “us”, “our”) takes the privacy and security of personal information in our care very seriously. On November 10, 2023, we identified unauthorized activity in our network. We promptly took steps to secure our network and prevent against further unauthorized access, including disconnecting our systems from the network. We also engaged a team of third-party cybersecurity experts to investigate the cause and extent of this incident, and have retained external legal counsel to oversee our response to this incident and ensure we meet our legal obligations.
Our investigation into this incident determined the period of compromise was October 18 to November 10, 2023, during which the unauthorized third party accessed and copied certain data from our network. If you purchased any eyewear or other products from our online or physical stores, received eye examinations, or consulted with a FYi physician, your information may have been impacted. Please note that if we have your email or home address on file, you will have received a notice directly.
The review of the data involved in this incident revealed that some or all of the following types of information pertaining to you may have been impacted: name, phone number, date of birth, government-issued identification (e.g., driver’s license), financial-related information (e.g., account or routing number), health insurance-related information (e.g., policy or group number), medical information (e.g., diagnosis, treatment-related information, prescription information, etc.), health card number, salary, gender and/or social insurance number.
Please be advised that not all categories of information pertaining to you may have been impacted.
Additionally, we want to assure you that at this time, there is no evidence suggesting that any individual’s personal or personal health information was or is being used by an unauthorized user for any purpose, including to commit fraud or identity theft, as a result of this incident.
Additionally, our third-party cybersecurity experts determined that they were unable to restore certain patient records, specifically optical images, which were encrypted and rendered inaccessible as a result of the incident. During your appointment at our clinic, we take images of your retina, including blood vessels and nerves located in your eye to monitor for any changes and abnormalities. While doctors will still be able to detect optical abnormalities during your visits, they may not be able to immediately diagnose those abnormalities without being able to compare them with optical images taken at an earlier date.
If you received an optical image scan at the following clinic locations, your optical images may have been lost as a result of the incident: Saskatoon 8th Street East (Saskatchewan), Regina – Albert Street (Saskatchewan), Edmundston (New Brunswick) or Duncan (British Columbia).
Please note that these optical images were not accessed or otherwise acquired as a result of this incident.
What We Are Doing.
Since the incident, we have been working with cybersecurity experts to restore systems as quickly and as securely as possible. We have also implemented enhanced security measures to better prevent an incident of this nature from reoccurring in the future. Furthermore, we have reported this incident to law enforcement as well as to the appropriate privacy authorities.
What You Can Do.
While we have no evidence that your personal information has been misused for any fraudulent purposes, we recommend remaining vigilant against common threats, such as phishing of spoofing attempts, to protect yourself and your information. Avoid clicking on links or downloading attachments from suspicious emails.
If you receive emails, letters, telephone calls or text messages purporting to be from FYidoctors asking for financial or any other personal information that you were not expecting, please consider the communication to be fraudulent, and contact us to confirm its authenticity.
We also encourage you to monitor your bank accounts and credit history to guard against any unauthorized transactions. If you notice any suspicious or potentially fraudulent activity, we recommend you contact your financial institution immediately.
Additional tips and resources for protecting your identity are available at: https://www.priv.gc.ca/en/privacy-topics/identities/identity-theft/guide_idt/.
If you determine that you may be impacted based on the description above, and you reside in Alberta, Manitoba, Newfoundland and Labrador, Nova Scotia or Ontario, please note that you also have the right to file a complaint with your respective privacy regulator. The Alberta privacy regulator can be contacted at 780-422-6860, toll-free at 1-888-878-4044 or generalinfo@oipc.ab.ca. The Newfoundland and Labrador privacy regulator can be contacted at 1-877-729-6309 or via email at commissioner@oipc.nl.ca. The Nova Scotia privacy regulator can be contacted at 902-424-4684 or 1-866-243-1564 or via email at oipcns@novascotia.ca. Contact details for other privacy regulators may be found on their website.
For More Information
We sincerely regret any inconvenience this incident may have caused. We are committed to further improving our security in order to prevent this from happening again in the future. If you have additional questions, please contact our call center at 1-844-450-7762 between the hours of 8:00 am and 8:00 pm EST and one of our representatives can assist you. Thank you for your understanding.
Yours sincerely,
Scott Kearl
Chief Privacy Officer