Southwestern Ontario hospital cyberattack cost organizations at least $7.5M
Some hospitals have brought in new systems following the attack
A ransomware attack that forced critical systems at five southwestern Ontario hospitals offline for weeks last year has cost those organizations upwards of $7.5 million.
The October 23 cyberattack compromised private records of hundreds of thousands of employees and patients when hackers gained access to the organizations' system.
That attack forced people to postpone or reschedule surgeries and appointments at Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and Chatham-Kent Health Alliance.
The hospitals also had to transfer radiation treatments for cancer patients to other hospitals.
Hackers were able to pull social insurance numbers and patient visit information from some of the hospitals and post them online.
Hospitals incur millions in cyberattack costs
The attack cost Windsor Regional Hospital a total of $3.8 million according to its annual financial statement.
Insurance covered $1.5 million, while the rest paid out by the organization.
"Obviously there was a cost to ensure and protect patient care delivery during the cyberattack as best we could under difficult circumstances instigated by criminals," wrote a spokesperson in a statement to CBC News.
Bluewater Health in Sarnia tallied just over $2 million in costs, about half of which was covered by insurance.
The hospital's chief financial officer said that they expect to continue to absorb costs caused by the attack this year.
"We have ongoing costs associated with the attack in the 2024-25 fiscal year as we continue to recover systems and work on transitioning to our new hospital information system with a planned go-live in November 2024," wrote Marlene Kerwin in a statement.
"Despite the challenges, we maintained our commitment to safe, quality patient care throughout this period."
Erie Shores HealthCare in Leamington built a new system that will help restore diagnostic imaging services and operate as a backup if another issue occurs.
A spokesperson said the hospital's total cost for the cyberattack came to $600,000 and that it was used address challenges caused by the attack.
"The costs included additional staffing to manage inefficiencies without the system, back loading data into our current digital system and providing credit monitoring for staff affected by the breach," wrote Kevin Black, communications manager at the hospital.
Chatham-Kent Health Alliance said in a statement to CBC it paid out $1.1 million in costs related to the attack
Hôtel-Dieu Grace Healthcare's financial statement did not give a specific amount and said that the hospital believe costs will be covered by insurance.
Senior leaders need to be aware of downstream risks
Each hospital was affected differently by the attack but all used the same IT and payroll administration organization TransForm.
The organizations said last year they did not pay a ransom and announced that most of their systems were back online in February.
Experts warn that the criminals working to hack into organizations are getting more advanced and have learned that compromising data can have a greater financial reward than a business' financial assets.
Randy Purse is a senior cyber security advisor with Rogers Cybersecure Catalyst, Toronto Metropolitan University's national centre for training, research, and collaboration in cyber security.
He said there's three key areas to think about when it comes to cyber attacks.
"When we talk about cyber criminals there's the motivation, which is very difficult to demotivate them, there's the capabilities they have, which we can do very little to disrupt," said Purse.
"But there's the opportunity ... The best thing that we can do is deny them the opportunity to attack us."
Purse said employers should look to educate employees so they understand what the risks are and ensure that senior managers understand a cyber attack has downstream affects that go above financial costs.
"There's been times when people have lost employees as a result of being hit."
With files from Christopher Ensing