You've been notified by a hospital that your information was stolen. Now what?
326,800 patients were impacted by last year's ransomware attack in southwestern Ontario
When Nicole Wilson first saw a letter in the mail from Windsor Regional Hospital telling her that her personal information has likely been exposed, she says she "panicked."
"I called my husband right away and was like, 'oh my God, so what do I do now?' said Wilson.
"How do I find out if my information is at risk and what's at risk?"
Wilson is one of 326,000 patients whose information was stolen during a cyberattack incident last year. She and many others have started receiving letters from one (or more) of five southwestern Ontario hospitals impacted, notifying them that their information was likely leaked on the dark web.
"I still have questions because it doesn't really give any information in the letter," said Wilson, adding she wants to know the exact information that could have been exposed.
Why am I getting this letter?
On Oct. 23, IT provider TransForm Shared Services — which supports Windsor Regional Hospital, Hôtel-Dieu Grace Healthcare, Erie Shores HealthCare, Chatham-Kent Health Alliance and Bluewater Health in Sarnia — experienced a ransomware attack.
Computer systems at all of the hospitals were offline for several weeks, as hackers took control and stole personal patient and employee information. The attackers attempted to get the hospitals to pay a ransom, but the hospitals said they refused to pay.
Since then, the hospitals have worked on restoring their software and, earlier this month, said they would start notifying people whose information was likely impacted.
But for many, there's concern about what this means and uncertainty on what to do next.
Why did it take so long for me to get notified?
Saeed Samet, associate professor at the University of Windsor's School of Computer Science, says there's a lot that needs to be done when a ransomware attack first takes place.
In this case, Samet said the IT provider TransForm and the hospitals were likely focused on trying to continue to provide service to their patients and try to get their systems back online as quickly as possible.
"The very first priority will go to those things," he said.
"They have to have some type of restoration of information to make sure that some sensitive operations will be not in much delay."
And it's often not immediately clear what information has been taken.
"The digital forensics to prove what data may or may not have been lost can be incredibly complex and difficult and time-consuming," said cybersecurity expert David Shipley, who's based in New Brunswick.
"Think about this as CSI [Crime Scene Investigation] for cyber."
He said they're trying to dissect what was touched by the criminals and, if they can't get a clear picture, they might have to assume what was included in the data breach.
What can happen if my information was stolen?
Shipley, who is also the CEO and founder of cybersecurity organization Beauceron Security, says cybercriminals can use the information for identity theft, extortion and scams.
"The more that information they can gather about you from various sources, the more authentic and realistic and more likely their success with identity theft," Shipley said.
But it also depends what information is stolen, he says. Name and email are lower risk, whereas a Social Insurance Number, banking information or sensitive health information can place someone at a higher risk.
He added that people who had sensitive health information stolen — about sexually transmitted infections, mental or reproductive health procedures — can be at a greater risk of extortion.
What should I do?
There's not much you can do, say cybersecurity experts.
At this point, it's already been six months since the ransomware attack and since your information was likely leaked on the dark web.
If there are credentials or passwords for the information you've been told has been taken, Samet advises people to change that and to activate multi-factor authentication — this is a security measure that forces people to prove they are who they say they are when going to access sensitive information.
He added that if banking information was involved, it's best to make your financial institution aware.
Shipley says people should be on high alert of anything suspicious.
"Be extra vigilant about anything even related to the topic that you received a breach notification about," he said.
"Be extra skeptical for a while."
And if you see unusual activity, Shipley says report it to local police, to the hospital(s) where your information was taken from and to the Canadian Anti-Fraud Centre.
Should I go on the dark web to see if my information is actually there?
"No," says Shipley.
"There are lots of services you can engage with."
He said get professionals to do that for you, but don't start surfing away on the dark web because that could lead to trouble.
Is this being investigated?
When the cyberattack took place, TransForm said that multiple investigations were happening, including a criminal investigation and one by Ontario's Information and Privacy Commissioner.
When asked Tuesday by CBC News whether these were still ongoing, TransForm said it couldn't share that information.
In November, a Sarnia resident filed a proposed $480 million class action lawsuit against all five hospitals and TransForm because information was breached.
It's unclear where this now stands. Sarnia's Superior Court of Justice says there are no updates related to the case.