About one-third of a million patients to receive notice about their compromised data in Ontario hospital cyberattack

Approximately 326,800 letters will be issued to patients from five hospitals in southwestern Ontario next week, notifying them that their information was compromised in the October 2023 cyberattack.

 

The attack — which a group called Daixin Team has previously claimed responsibility for — affected the shared IT service provider for Windsor Regional Hospital, Hotel-Dieu Grace Healthcare, Erie Shores Healthcare, Chatham-Kent Health Alliance and Bluewater Health.

 

Top officials from all five hospitals made the announcement Wednesday, noting the cyberattack on TransForm Shared Services resulted in varying levels of information being compromised at each institution.

 

The number of patients expected to receive written notice that their information was compromised in some capacity are:

• Erie Shores HealthCare: 102,000.
• Bluewater Health, 82,000.
• Chatham-Kent Health Alliance: 69,000.
• Hotel-Dieu Grace Healthcare: 46,000.
• Windsor Regional Hospital: 27,800.

If an individual has been a patient at multiple hospitals over the last several years, they may receive more than one letter.

 

At Windsor Regional Hospital, stolen data primarily consisted of patient names, room numbers, general diagnoses and other admission-related information.

Patient health records, social insurance numbers and bank account information were not compromised at Windsor Regional Hospital, CEO David Musyj said Wednesday.

 

“Generally speaking, from a patient’s lens, systems have been largely restored at Windsor Regional Hospital — [except] for some ancillary systems,” said Musyj. “We have to ensure when bringing these systems back up that the security is verified by a third party.”

 

One hospital which did see social insurance numbers stolen from patients is Bluewater Health. Approximately 20,000 of its patients had their SINs compromised.

 

Bluewater Health’s president and CEO said the cyberattack primarily impacted their diagnostic imaging and testing labs “and our ability to communicate reports to our healthcare providers in the community.”

 

“We did have a backlog of approximately 9,000 diagnostic imaging [scans]. So that’s CT, x-ray, MRI. All of those individual appointments have been rebooked and those individuals are now expecting to arrive for their appointments,” said Paula Reaume Zimmer.

 

According to Erie Shores HealthCare CEO Kristin Kennedy, the cyberattack primarily targeted administrative reports from a restricted shared drive.

 

In some cases, reports included patient names. However, other cases resulted in a “combination of information” being breached, such as an addresses, dates of birth, health card numbers and “generic reasons for a patient visit.”

 

“No social insurance numbers or financial information were part of our patient breach,” said Kennedy, adding patient medical records at the Leamington-based hospital were not accessed either.

 

Kennedy added Erie Shores Healthcare is expected to open a mobile MRI unit in about six weeks which will “prioritize patients currently on a regional MRI waitlist.”

 

When asked if the five hospitals would veer away from sharing an IT service provider, Kennedy said they remain committed to the restoration and recovery of TransForm.

 

She did not disclose details regarding what security enhancements are being made to avoid future cyberattacks, noting this is currently a “legal matter in the courts.”

 

“We were actively involved in the development of cyberattack security as with our many hospitals across the province and we continue to be and we will continue to do so,” added Kennedy.

 

At the Chatham-Kent Health Alliance, president and CEO Lori Marshall said some of the information they lost included patient names, addresses, treatment information, diagnoses and appointment dates.

 

“To be clear, very few health card numbers were stolen,” said Marshall, without specifying exactly how many.

According to Marshall, who said social insurance numbers of CKHA patients were not compromised by the cyberattack, critical systems relating to diagnostics and therapeutics have been fully restored.

 

She added back-office systems, encompassing non-clinical functions such as human resources and finance, have also been fully restored.

 

“Work is well underway at CKHA to restore the remaining subsidiary systems, across both the clinical and administrative areas. We expect the majority of these will be completed before the end of June 2024,” she said.

 

Hotel-Dieu Grace Healthcare saw patient names, dates of birth, locations of care, program details, diagnosis, treatment information and health card numbers stolen as a result of the cyberattack, according to HDGH president and CEO Bill Marra.

 

“Most system restoration has been completed … Most recently, our financial and security systems have been brought online, resulting in more normal operations,” Marra said.

 

A statement of claim obtained by CTV News in November 2023 showed all five hospitals are facing a $480-million class action lawsuit. It argues the hospitals failed to adequately protect patient records.

 

 

 

 

This article was first reported by CTV News