Cybersecurity incident involving some MÉDIC Construction insureds
On October 13, the Commission de la construction du Québec (CCQ) was informed by one of its suppliers that confidential data concerning most of MÉDIC Construction’s insureds had been affected by a cybersecurity incident.
To manage and administer MÉDIC Construction insurance claims, the CCQ works with the supplier GreenShield Canada (GSC), which uses the specialized platform MOVEit for secure data transfers. The cybersecurity breach in question here took place last May, as part of a well-documented incident involving MOVEit, affecting at least 66 million individuals all over the world.
It was only on October 24, following an analysis conducted by the CCQ, that it became clear that the personal information of MÉDIC Construction insureds, as well as the identities of those concerned, had been affected by the security breach.
How many people are affected by the cybersecurity incident?Most of MÉDIC Construction’s insureds and their dependents have been affected by the incident. Worldwide, the security breach involves 66 million individuals.
How do I know if my dependents or I are among the people affected?
MÉDIC Construction’s insureds affected by the cybersecurity incident will receive or have already received a letter from the Commission de la construction du Québec. The letters were sent on Novembre 6.
Insureds who were not affected will also receive a letter confirming that they do not have to take any measures.
I've received two letters from you concerning the cybersecurity incident. What should I do now?If you receive two letters, concerning the cybersecurity incident, please consider the one informing you that you have been affected to be the correct one.
What do I do if my data were affected by the incident?
- As a MÉDIC Construction insured, you must notify your dependents, if applicable, of the situation and of the measures they can take to protect themselves.
- We strongly recommend that you use the Equifax credit monitoring and identity theft protection services. Following this incident, a free 24-month subscription is being offered to affected MÉDIC Construction insureds and to their dependents age 18 and over. Information on how to subscribe to these services is included in the letter that has been sent to you. You have until February 29, 2024 to activate your account.
Equifax Complete TM Premier plan :
- Lost Wallet Assist: One-stop assistance in cancelling and reissuing your credit or debit cards, driver's license, SIN card, insurance cards, passport and traveler's checks when your wallet is lost or stolen
- WebDetect™M (Internet Scanning): Receive alerts when we detect your personal information (e.g. SIN or credit card number) being used on the Internet
- Daily credit monitoring with email notifications of key changes to your credit profile
- Unlimited access to your Equifax Credit Score™M and report
- Identity Restoration: A dedicated Identity Restoration Specialist will work on your behalf to restore your identity should you become a victim of identity theft.
- Up to S1 000 000 of identity theft insurance
- View how your score trends over time
I received a letter from the CCQ indicating that my data were affected by the cybersecurity incident concerning MÉDIC Construction insureds, but I already have a subscription to the Equifax services. Do I still have to subscribe?To ensure that you have adequate coverage, it is strongly recommended that you call Equifax. Its agents will be able to make the necessary verifications and tell you what steps to take in your situation.
Please note that the CCQ has mandated Equifax to provide guidance in managing the incident.
What is the deadline for subscribing to the Equifax services?You have until February 29, 2024, to activate your account and take advantage of the free 24-month subscription offered to MÉDIC Construction insureds and their dependents aged 18 and over affected by the cybersecurity incident.
What data in my file may have been affected by the incident?
This cybersecurity incident affects only the following personal information about you and your dependents:
- Last name, first name, gender
- Residential and electronic addresses (excluding dependents)
- Telephone number (excluding dependents)
- Date of birth
- Bank account number (excluding dependents)
- Some brief details related to claims
All other information held by the CCQ, notably your social insurance number, were not affected.
There was a delay between the announcement of the massive MOVEit leak and confirmation that MÉDIC Construction insured’s data were affected. How do you explain this?Although the event behind the cybersecurity breach took place in May, it is important to note that the CCQ was informed on October 13 by one of its suppliers that the confidential data of MÉDIC Construction insureds and their dependents were concerned. However, it was only on October 24, following an analysis conducted by the CCQ, that it was confirmed that specific personal information, and the identities of the people concerned, were potentially affected by the security breach.
Does the situation have an impact on my MÉDIC Construction services?No. This situation has no impact on the services offered by MÉDIC Construction.
What measures have been taken to ensure that this situation doesn’t occur again?
The CCQ takes the protection of its clients’ personal information very seriously. Therefore, we are taking concrete measures, including the following:
- Taking responsibility and following up closely with the supplier to ensure that strict measures are applied
- Keeping a watch on all digital platforms, including hacker sites, to identify any malicious use of data
- A review by an external consultant to recommend all new practices to implement, notably with our suppliers, to avoid having such a situation occur again
- The obligatory declarations to the Commission d’accès à l’information du Québec and the Registre d’incident
I’m uneasy about the security of my and my dependents’ data. What measures can I take as a precaution?You can take several measures to protect your personal information.
Subscribe to Equifax: If you received a letter from the CCQ indicating that your data have been affected in the cybersecurity incident concerning MÉDIC Construction insureds, we strongly recommend that you use the Equifax credit monitoring and identity theft protection services, which are being offered free of charge for 24 months. You have until February 29, 2024 to activate your account.
Keep an eye on your accounts: Regularly check your bank accounts and other online accounts to uncover any suspicious activity. Notify your financial institution of any unauthorized activity or concern.
Change your passwords: As a precaution, regularly change the passwords on all your online accounts. Choose passwords that are difficult to guess and avoid reusing them on different platforms.
Be vigilant: Be particularly careful when you receive emails (especially those with a suspicious link or attachment) or unsolicited messages or phone calls asking you to provide personal information.
I still have questions. Where can I get answers?
For any question or concern about this incident, please call the line dedicated to MÉDIC Construction insureds, 1 833 393-3192 (Monday to Friday, 8:30 a.m. to 4:30 p.m.).
What is MÉDIC Construction?
What is a dependent?
Dependents of an insured (employee or retiree) person may benefit from insurance coverage when they are recognized by MÉDIC Construction. To do this, the insured must declare his or her dependents and provide the required documentation.
An employee’s or a retiree’s dependents may be:
- A spouse
- Dependent children
- A spouse’s children who are an employee’s dependents
To find out more about dependents, click here.
Who will pay the costs related to the Equifax services?Neither the MÉDIC Construction plan nor the CCQ will pay for these services; it is the CCQ’s supplier, Greenshield Canada, that will take care of the costs related to the Equifax services.
What should I do if I think I have been the victim of fraud?
Up to now, we have no indication that the data affected have been disclosed or used to malicious intent. However, if you think you have been a victim of fraud :
- Report the incident to local police as quickly as possible
- Advise your bank and credit card companies if it is a financial incident
- Contact Equifax so they can take the necessary action for your situation
- Notify the Canadian Anti-Fraud Centre
- Report any missing identity documents or cards, such as a driver’s licence, a health card or immigration documents to the appropriate organization
- Change your passwords and monitor your accounts regularly
I would like to make a complaint to the CCQ; how can I do this?