Info from 5.6 million patient visits among data stolen in ransomware attack on Ontario hospitals
A 3rd set of data has been published on the dark web, site says, as OPP continue investigation
A database containing information on 5.6 million patient visits to Bluewater Health and the social insurance numbers of as many as 1,446 Chatham-Kent Health Alliance employees are among the data taken in the ransomware attack on five southwestern Ontario hospitals, officials said in a lengthy update Monday.
The update — including specific information about what was stolen from each hospital — comes after some data was published by the hackers online.
"All hospitals have some degree of patient and employee information affected," the hospitals said in a joint afternoon statement. "All of our hospitals are diligently investigating the stolen data to determine who is impacted."
The cyberattack on Oct. 23 has led to a system outage involving patient records, email and more at Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and Chatham-Kent Health Alliance. It has also delayed appointments for patients.
Neither the hospitals nor TransForm — the hospitals' IT and payroll administration organization, which is at the centre of the attack — have paid ransom demanded by attackers.
TransForm says anyone whose data has been compromised will be contacted directly.
According to the joint statement from the hospitals, attackers were able to steal data from a shared file server that included patient data of "varied amounts and sensitivity."
"The stolen data is in many formats, some of which are easier to analyze," officials said in their statement.
Also targeted was a Bluewater Health patient database report.
Not stolen in the attack are databases related to employee payroll, accounts payable, electronic health record information at hospitals other than Bluewater Health and donor information.
The hospitals called the information released Monday "an initial update on what is known to date," saying that analysis is still ongoing.
Hospitals summarize known extent of breach
- Bluewater Health in Sarnia: The stolen database report includes information on 5.6 million visits made by 267,000 unique patients. The hospital says it is still determining the specific individuals included in the report and it did not include clinical documentation records. Employee and staff SIN and banking information was not taken.
- Chatham-Kent Health Alliance: An employee database that contained information about 1,446 employees working at the hospital as of Feb. 2, 2021, was taken. That information includes names, SINs, addresses and rates of pay, among other basic personal information. But the database did not include professional staff or volunteers. No banking information was stolen. The CKHA's electronic health record was not affected, but a shared drive did contain some patient information still being analyzed by the hospital.
- Erie Shores HealthCare in Leamington: A "limited set" of stolen data includes 352 current and past employee social insurance numbers (SIN). The hospital says its entire workforce was not affected, so impacted employees will be notified directly. No banking information was stolen.
- Windsor Regional Hospital: Officials say a limited portion of a shared drive used by staff some patients were identified, either by name only or with a brief summary of their medical conditions. The information does not include any patient charts or electronic medical records. Information pertaining to some employees, like staff schedules, was affected, but WRH believes no SINs or banking information was taken.
- Hôtel-Dieu Grace Healthcare in Windsor: The breached shared drive included some patient information the hospital is still analyzing. Some employee information was stolen, but the hospital says that does not include SINs or banking information.
The hospitals are all offering free credit monitoring to their employees and professional staff. Past employees whose information may have been affected, like at CKHA, can sign up in person at the hospital or will receive a letter with instructions.
The hospitals said they anticipate an update on the restoration of systems in the coming days and they have reported findings to the Ontario Information and Privacy Commissioner.
The hospitals have set up a cybersecurity hotline for questions from patients, at 519-437-6212, with hours from 8 a.m. to 11 p.m. Monday to Friday. Staff can direct questions to their HR teams.
"We condemn the actions of cybercriminals, in the health-care sector and elsewhere, in our communities and around the world," officials said. "We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize."
Cybercriminal group exposes new batch of data: blog
The update from the hospitals comes after another bunch of sensitive patient data was released onto the dark web by the cybercriminal group that has claimed responsibility for the attack, according to the author of a site that tracks data breaches.
This is the third round of data that has been published after the five hospitals agreed not to pay a ransom.
The first round of data, which included scans of patient information like records and claims, was published on Nov. 1. The second round of data, published on Friday, included COVID-19 vaccine records including names and in some cases their reactions to vaccines.
This third round of data, according to DataBreaches.net — a blog that covers cyberattacks — was released on Sunday.
CBC News has not independently verified the claims in the blog, but has verified the identity of the author of the website. An expert told CBC while the author, who uses the pseudonym Dissent Doe, has a track record of credibility, specific claims made by hackers should be taken with some skepticism.
The author of Databreaches.net says through email the cybercriminal group Daixin took responsibility for the attack last week.
According to Dissent, the third round of data includes some personnel information, sensitive patient information and IT-related data.
They say this involves discharge data on patients between 2013 and 2015, as well as survey responses, patient complaints and internal hospital reviews that have been done.
Dissent writes that their description of what data was leaked is "intended to remind the public what can happen when threat actors can gain access to a network and why entities need to really evaluate whether they have adequate security for sensitive files."
Dissent adds in their blog that there is still another part of the data that Daixin hasn't yet dumped and that is databases.
During a news conference in Toronto on Monday, Minister of Health Sylvia Jones said Ontario Provincial Police continue to investigate the cyberattack.
"Without a doubt, we are very concerned when any type of patient access is compromised and we continue to support those hospitals to make sure that as they work through finding out exactly where the breach was and ... ensuring that doesn't happen again," Jones said.