Patients affected by southwestern Ontario hospital cyberattack to be notified next week

Hundreds of thousands of letters will be in the mail next week, notifying patients who had their information stolen by cyber criminals in a ransomware attack that hit five southwestern Ontario hospitals last October.

Letters to be sent out week of Apr. 8 to people who had info stolen

community mail boxes
Starting April 8, letters will be mailed out to people impacted by the October cyberattack of southwestern Ontario hospitals. (Stu Mills/CBC)

Hundreds of thousands of letters will be in the mail next week, notifying patients who had their information stolen by cyber criminals in a ransomware attack which hit five southwestern Ontario hospitals last October.

In a joint statement, officials with Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Windsor Regional Hospital and Hôtel-Dieu Grace Healthcare said affected patients will be notified.

"This complex cyberattack took place … and impacted each hospital individually," it stated. 

"Except for Bluewater Health, electronic medical records were not impacted. However, personal health information stored elsewhere on our systems was involved, including patient, and for some organizations, employee information."

Some patients overlap across the five hospitals, meaning they could get multiple letters.

Here are the approximate totals of affected patients:

  • Bluewater Health: 82,000
  • Chatham-Kent Health Alliance: 69,000
  • Erie Shores HealthCare: 102,000
  • Hôtel-Dieu Grace Healthcare: 46,000
  • Windsor Regional Hospital: 27,800

Bluewater Health CEO Paula Reaume-Zimmer said the hack and ensuing review process has been complex.

"This type of data analysis takes significant time, especially given the large quantity of data involved across the five hospitals," she said. 

"I'm extremely proud of how quickly we're able to get to this moment of notification." 

Paula Reaume-Zimmer.
Paula Reaume-Zimmer is CEO of Bluewater Health in Sarnia, Ont. (Kelly Francis/Bluewater Health)

Kristin Kennedy, CEO of Erie Shores HealthCare, said the Leamington hospital was primarily affected in relation to registration and administrative reports stolen from a restricted shared drive.

"The reports included patient name only, or a combination of information, including address, date of birth, a card number, and a generic reason for a patient visit," said Kennedy.

Patients' social insurance numbers and financial information were not a part of the breach, she said.

"It is important to note that patient medical records were not accessed."

Hôtel-Dieu Grace Healthcare in Windsor said its hospital also did not see patient records accessed as part of the hack. However, some items were stolen.

"Names, dates of birth, perhaps locations of care, and some of our program details," said the hospital's CEO Bill Marra. "Diagnosis, treatment information and health card numbers."

A closeup shows a person's hands typing on the keyboard of a laptop computer, with blurred green text on its screen.
The ransomware attack was first reported in October. It disrupted services and saw patient and staff information breached. (Tero Vesalainen/Shutterstock)

Windsor Regional Hospital CEO David Musyj said criminal cyber attacks are becoming far too common throughout Canada and beyond.

"These are disgusting acts, particularly when aimed at vulnerable populations, including those who come to our hospitals for care and the hardworking and dedicated frontline staff who care for them," he said.

Recovery efforts for affected services by the ransomware attack are nearly complete, according to the five hospitals.

Their intention is to also continue using the shared IT service provider TransForm, for "efficiency and optimization" reasons — including best practices around cybersecurity.

A collage featuring signs or exteriors of five hospitals.
Five southwestern Ontario hospitals were hit by a ransomware attack on Oct. 23. (CBC/Erie Shores Healthcare Facebook)