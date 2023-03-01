The number of warning letters associated with the cyberattack on Sobeys last fall continues to grow, and now includes one of the biggest health insurance companies in Canada.

CTV News has confirmed a new round has gone out to customers of Medavie Blue Cross, which is based out of Moncton, N.B.

In a late afternoon statement to CTV News, the company said it all goes back to the original breach.

"Managed Health Care Services Inc. (MHCSI), a subsidiary of Sobeys, notified us that they would be sending a communication to some of our members advising that an unauthorized third-party gained access to certain servers containing information relating to MHCSI customers on Nov. 1, 2022," said Brittany Mitchelmore, Medavie senior communications advisor, in the statement.

"MHCSI is a partner in our Preferred Pharmacy Network, which is a benefit provided to some of our clients. Based on what we know today, we have no indication that any member information was accessed. Our company wants to assure our clients that we have a number of security procedures in place to protect their information from unauthorized access. Any questions related to this should be directed to MHCSI," the statement concluded.

Dartmouth resident Bill Zebedee has now received three copies of the same letter in the mail, but the lack of information is frustrating, he says.

"It's just not clear from the letter who was involved in this," said Zebedee, noting that his employer has recently changed health plans.

"We were with Great West. We're with Blue Cross now," he said.

MHCSI is a company that provides group benefit plans and works with pharmacies, including Sobeys and Lawtons.

The empire waited until the latter-half of February to publically acknowledge a major data breach last fall.

CTV News inquired about the expanded round of letters Wednesday and received a statement similar to previous information.

"As we have previously stated, we had a cybersecurity event in November. With the help of external experts, we have investigated how an unauthorized third party gained access to some of our servers and systems. The process to identify what data was impacted has been extremely complex, and we’ve now reached a point where we can notify those who were potentially impacted," the unsigned statement read.

"We have seen no evidence that personal data was accessed or removed from our servers; however, out of an abundance of caution, we have sent notifications to those who could have been potentially impacted and in compliance with our regulatory obligations. IT security is and has always been a priority for us. Trust and transparency matter deeply to us and we regret that this event occurred."

"Cybercrime is really, really difficult to solve right now," said cybersecurity expert Terry Cutler from his office in Montreal.

Known as the Ethical Hacker, he says even basic contact information can be a gold mine for cyber-criminals.

"They have access to home address, phone number, email. Now, they can send all these types of scams to them. Phishing emails, social engineering attacks. This is where you might get a call saying, 'This is Amazon. We've got a charge on your card. Press one to speak to somebody.' And somebody gets into your computer and tries to defraud you," said Cutler.

While some of the letters have offered a free subscription to a credit monitoring service, Zebedee says he's been told he's not eligible, but he believes the company should offer it to everyone impacted.

"It's going to cost them a boat load, but, the response I'm hearing from the public, the public embarrassment for the company is costing them a lot more than what the monitoring would cost them," he said.