Eastern Health said in a release today the flash drive contains a spreadsheet with the names, employee numbers and social insurance numbers of about 3,300 of its employees, and the names and employee numbers only of another 5,700.
The flash drive was last used on June 17 as part of a project in the health authority's human resources department, and was discovered missing by the project manager on June 19. It has no passwords or other security measures in place.
"It was a drive that was simply being used in human resources and wasn't meant to go external," said David Diamond, the president and CEO of Eastern Health.
"So inappropriately, as it turns out, the decision was made not to encrypt."
Diamond said the health authority interviewed personnel and conducted a physical search of the offices without finding the flash drive. They are now awaiting recommendations from the province's information and privacy commissioner, who has launched a formal investigation.
"We believe it's lost - it's either gone to the garbage, or tucked in a file or someplace that we haven't yet been unable to find. That would be our guess," Diamond said, adding he has no reason to believe anything fraudulent has occurred.
"But because we don't know where it is, and can't account for it, is the reason we wanted to disclose...as early as we can," Diamond said.
The health authority has begun contacting the employees whose social insurance numbers were on the USB drive, and will continue to do so through the weekend, Diamond said. He said employee numbers aren't private, so there is no risk to those workers whose name and identification number only were on the flash drive.
Eastern Health has dealt with two privacy breaches, both involving patient files, in the last three years.