Patients affected by southwestern Ontario hospital cyberattack to be notified next week
Letters to be sent out week of Apr. 8 to people who had info stolen
Hundreds of thousands of letters will be in the mail next week, notifying patients who had their information stolen by cyber criminals in a ransomware attack which hit five southwestern Ontario hospitals last October.
In a joint statement, officials with Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Windsor Regional Hospital and Hôtel-Dieu Grace Healthcare said affected patients will be notified.
"This complex cyberattack took place … and impacted each hospital individually," it stated.
"Except for Bluewater Health, electronic medical records were not impacted. However, personal health information stored elsewhere on our systems was involved, including patient, and for some organizations, employee information."
Some patients overlap across the five hospitals, meaning they could get multiple letters.
Here are the approximate totals of affected patients:
- Bluewater Health: 82,000
- Chatham-Kent Health Alliance: 69,000
- Erie Shores HealthCare: 102,000
- Hôtel-Dieu Grace Healthcare: 46,000
- Windsor Regional Hospital: 27,800
Bluewater Health CEO Paula Reaume-Zimmer said the hack and ensuing review process has been complex.
"This type of data analysis takes significant time, especially given the large quantity of data involved across the five hospitals," she said.
"I'm extremely proud of how quickly we're able to get to this moment of notification."
Kristin Kennedy, CEO of Erie Shores HealthCare, said the Leamington hospital was primarily affected in relation to registration and administrative reports stolen from a restricted shared drive.
"The reports included patient name only, or a combination of information, including address, date of birth, a card number, and a generic reason for a patient visit," said Kennedy.
Patients' social insurance numbers and financial information were not a part of the breach, she said.
"It is important to note that patient medical records were not accessed."
Hôtel-Dieu Grace Healthcare in Windsor said its hospital also did not see patient records accessed as part of the hack. However, some items were stolen.
"Names, dates of birth, perhaps locations of care, and some of our program details," said the hospital's CEO Bill Marra. "Diagnosis, treatment information and health card numbers."
Windsor Regional Hospital CEO David Musyj said criminal cyber attacks are becoming far too common throughout Canada and beyond.
"These are disgusting acts, particularly when aimed at vulnerable populations, including those who come to our hospitals for care and the hardworking and dedicated frontline staff who care for them," he said.
Recovery efforts for affected services by the ransomware attack are nearly complete, according to the five hospitals.
Their intention is to also continue using the shared IT service provider TransForm, for "efficiency and optimization" reasons — including best practices around cybersecurity.