Mental health data of 700 Concordia employees leaked by hackers

Homewood Health, a mental health service provider, saw the data of 4,000 service users breached in 2021

The university confirmed the data breach with faculty members in February 2022. Photo Mohammad Khan

Concordia’s employee assistance program, Homewood Health, was the target of an extortion attempt. Hackers exposed the private health information of 700 members of the Concordia community, the Concordia University Faculty Association reported.

According to Homewood, the data breach occurred in March 2021, but the EAP only learned the extent of the issue months later. It shared news of this breach with Concordia in July, but the information given to the university contained “little detail at the time”​​, CUFA said. 

Homewood followed up with the university in January 2022, letting the school know that the risk of leaked personal data was minimal. Concordia faculty members were notified via an email at the behest of the EAP in February.

The breach has been attributed to the hacking website Marketo, which calls itself a marketplace for leaked data. The website is currently down, though it had continued operating until November 2021, according to the Twitter account of its founder, Mannus Gott. The Twitter account claims that Marketo has stolen data from other companies, such as Align Technology and Epicor Software.

Homewood Health is one of the most popular EAP providers in Canada, offering mental healthcare benefits to over 3 million people, including eligible employees and their family members. Roughly 4,000 service users had their data breached by the Marketo hackers.

EAP providers are services that give employees access to short–term mental health services and counseling, covering personal concerns and work-related matters. While EAPs are offered through workplaces, they are meant to remain completely separate from employers, giving privacy to those who access these services.

There were 289 bids on Marketo relating to the leaked Homewood data in July 2021. Homewood and Marketo have not confirmed whether this data was sold to any of these bidders, but the legitimacy of the leaked documents has been verified. Marketo allegedly attempted to use the data to extort Homewood Health, only auctioning off the documents when this attempt was unsuccessful. While Homewood Health said the risk of the data being sold or misused is low, there has been evidence found by CTV and an independent journalist at DataBreaches.net that private information pertaining to individuals’ mental health records was part of the leak.

According to CUFA, Concordia staff that have been affected by this leak are frustrated with the university for not taking more decisive actions.

“Two CUFA members have contacted us to express their concerns and dissatisfaction with Homewood Health’s response to this situation.” — Léa Roboam

"Two CUFA members have contacted us to express their concerns and dissatisfaction with Homewood Health's response to this situation,” said Léa Roboam, Communication and Research Officer for CUFA. “One member wants the company to be excluded from any future tenders." 

The provider has not reached out to individual employees affected by this breach, but has instead left individuals the responsibility of calling Homewood’s confidential hotline number for insight into whether the breach affected them. Homewood will also offer identity and credit monitoring protection for any person whose information was leaked, according to Drew Burroughs, Assistant Vice-President of Marketing at Homewood.

“Homewood Health, along with cyber security experts, have continued to monitor this situation closely and there has been no evidence of any disclosure or misuse of this information,” said Burroughs. “Based on efforts undertaken by Homewood Health and its third-party cyber security experts, it is believed such risk is low.”

The creator of the data leak blog DataBreaches.net, who goes by Dissent Doe, was able to confirm the authenticity of the leaked sensitive information that was on auction. They did so by using OSINT Techniques, a website for investigating public records. 

“I found that I could match names and locations and other info in the leaked data to public records,” said Doe in an email. “There were also files in the leak that had Homewood letterhead, again providing some confirmation of source/attribution.”

The documents Doe found appear to show personal information about the services sought by individuals, including counselling for PTSD and depression. The information contained users’ names, workplaces and addresses listed alongside these services. It is unclear if the data was unencrypted prior to the breach.

Doe claimed that they reached out to Homewood for a statement, but received no response about these concerns.

Concordia spokesperson Vannina Maestracci said the university will be reviewing its partnership with Homewood Health in 2022. The university, she said, is unable to offer further information about this incident since employers are not meant to have oversight with EAP providers. 

“The Employee Assistance Program (EAP) provided by Homewood Health is a confidential service and Concordia University does not know who among its employees (or their families) uses it,” said Maestracci. “This is a service we offer through an outside provider which is based on confidentiality and it would not be right for an employer to know who among its employees is accessing an assistance program such as this.”

“A lot of the problems we face [as TAs] are things directly addressable by the employer. The resources we need should be provided by Concordia.” — Jonathan Llewellyn

The lack of options for tailoring EAP services to individual needs, as well as the ability to monitor security, has been a source of frustration for staff members of the university, particularly for teaching assistants.

“It’s indicative of outsourcing privatized mental healthcare,” said Sam Thompson, a member of Teaching and Research Assistants at Concordia. “When you don’t have these services in-house, you don’t have that oversight.”

TRAC members hope to see the school shift from external mental health services to a Concordia-specific system. The current EAP comes with additional issues outside of this data breach, such as long wait times and a lack of long-term mental healthcare, said Jonathan Llewellyn, Vice President of TRAC.

“There’s generally a lack of care when trying to access these services,” said Llewellyn. “A lot of the problems we face [as TAs] are things directly addressable by the employer. The resources we need should be provided by Concordia.” 

TRAC has started a Mental Health Action Group to pressure the university into improving employee and student services for mental healthcare, with a hope to shift away from privatized services like Homewood.