Canadian Healthcare Technology Logo
  • Issues
    • Current Print Issue
    • Print Archive
  • Advertise
    • Publishing Schedule
    • Circulation
    • Unit Sizes and Rates
    • Mechanical Requirements
    • Electronic Advertising
    • White Papers
  • Subscribe
    • Print Edition
    • e-Messenger
    • White Papers
  • Events
  • Vendors
  • About Us

GE [April2023]

GE [April2023]

Enovacom EPC

Enovacom EPC

Privacy & Security

Data thieves demanding ransom of CarePartners

July 18, 2018


Arthur RedubloTORONTO – Thieves who obtained the detailed medical histories and contact information of possibly tens of thousands of home-care patients in Ontario are demanding a ransom from CarePartners, the organization from which the data was taken.

CBC News says it was contacted by the thieves and sent a sample of the data that was allegedly accessed.

The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.

Another document appears to contain more than 140 active patient credit card numbers and expiry dates, many with security codes.

The attackers claimed the sample was a subset of hundreds of thousands of patient records and related materials in their possession dating back to 2010.

The group wants a ransom in return for telling CarePartners how to fix its system breach. “We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” they told CBC News.

CarePartners did not answer questions about the ransom, and it is not clear if or when the data will be posted online.

Under Ontario’s Personal Health Information Protection Act, healthcare providers are required to “take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information” and ensure that health records are retained securely under Ontario law – but there is nothing that says data stored on computers or servers must be encrypted.

Violations of the act can lead to prosecution. If found guilty, companies can be fined up to $500,000, while individuals may be fined up to $100,000.

In a statement, CarePartners said it was contacted by the attackers via email on June 11, with an attachment later verified by the company to contain an authentic sample of patient and employee data. A week later, on June 18, CarePartners released a news release notifying patients of the breach.

The sample of employee information viewed by CBC News contained T4 tax slips, social insurance numbers, bank account details and plaintext passwords. CarePartners said it notified affected employees directly.

The company says its forensic investigation has so far identified 627 patient files and 886 employee records that were accessed. But the sample provided to CBC News appears to contain names and contact information for more than 80,000 patients alone.

CBC News contacted ten patients whose records were included in the provided sample and confirmed they had been patients of CarePartners. Each said they had not been directly notified by CarePartners and were unaware there had been a breach.

Former patient Arthur Redublo (pictured) told CBC News it was “very troubling to know it was that easy to gain that information.” He said whatever steps had been taken to secure his information “obviously wasn’t enough.”

CarePartners said it had “proactively notified those patients whose records were inappropriately accessed” in conjunction with Ontario’s local health integration networks (LHINs) – Crown agencies established by the provincial government that contract with companies like CarePartners to provide home-care services such as nursing.

“The maximum extent of any breach with respect to patient information is the approximately 237,000 patients for which CarePartners has provided care and collected information,” the company said.

In a statement, the Office of the Information and Privacy Commissioner of Ontario said it is investigating.

The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed.”

“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group told CBC News. “None of the data we have was encrypted.”

While Ontario’s privacy commissioner requires that personal health information be encrypted when stored on mobile devices, there is presently no similar requirement for desktop computers or servers.

“Encryption is one piece of the puzzle,” said lawyer Mary Jane Dykeman, a partner with the Toronto-based boutique firm DDO Health Law. “But it’s also possible that you hold information in a repository or in a system where, in and of itself it’s not encrypted, but you have a secure perimeter, if you will. You have a fence around it that people can’t just walk through.”

The attackers compared their work to corporate bug bounty programs, where some companies will pay security researchers in exchange for finding vulnerabilities in their systems. But this comparison is not especially accurate, as participants in these programs typically do so with the company’s permission, and with strict rules around handling any sensitive data they encounter on the way.

CarePartners said it “takes the safeguarding of personal health and financial information seriously” – regularly updating its systems, and relying on a “leading third party” to manage its computers and networks.

PreviousNext

CHT print [900×150]

CHT print [900x150]

News and Trends

  • Ottawa’s health information demands will benefit patients
  • AI-powered tool on St. Michael’s surgical unit helps to improve care
  • Bots to help doctors reduce time spent on electronic records
  • Bissell Centre uses analytics to better understand client data
  • Canadian team is making ultrasound easier to use
More from the Print Edition

Subscribe

Subscribe

Free of charge to Canadian hospital managers and executives in nursing homes and home-care organizations. Learn More

Follow us on Social Media!

Follow us on Social Media!

Softworks

Softworks

Cdn Institute HCIwest

Cdn Institute HCIwest

Nihi Spring 2023

Nihi Spring 2023

Advertise with us

Advertise with us

Sectra [Feb]

Sectra [Feb]

Change Healthcare [2]

Change Healthcare [2]

Infoway [April2023]

Infoway [April2023]

Zebra [Mar2023]

Zebra [Mar2023]

RealTime

RealTime

CHT print [900×150]

CHT print [900x150]

Advertise with us

Advertise with us

Sectra [Feb]

Sectra [Feb]

Change Healthcare [2]

Change Healthcare [2]

Infoway [April2023]

Infoway [April2023]

Zebra [Mar2023]

Zebra [Mar2023]

RealTime

RealTime

Contact Us

Canadian Healthcare Technology
1118 Centre Street, Suite 207
Thornhill, Ontario, Canada L4J 7R9
Tel: 905-709-2330
Fax: 905-709-2258
info2@canhealth.com

  • Quick Links
    • Current Print Issue
    • Print Archive
    • Events
    • Vendors
    • About Us
  • Advertise
    • Publishing Schedule
    • Circulation
    • Unit Sizes and Rates
    • Mechanical Requirements
    • Electronic Advertising
    • White Papers
  • Subscribe
    • Print Edition
    • e-Messenger
    • White Papers
  • Resources
    • White Papers
    • Writers’ Guidelines
    • Privacy Policy
  • Topics
    • Administrative Solutions
    • Clinical Solutions
    • Companies
    • Continuing Care
    • Diagnostics
    • Education & Training
  •  
    • Electronic Records
    • Government & Policy
    • Infrastructure
    • Innovation
    • People
    • Privacy and Security

© 2023 Canadian Healthcare Technology

The content of Canadian Healthcare Technology is subject to copyright. Reproduction in whole or in part without prior written permission is strictly prohibited. Send all requests for permission to Jerry Zeidenberg, Publisher.

Search Site

Error: Enter a search term

  • Issues
    • Current Print Issue
    • Print Archive
  • Advertise
    • Publishing Schedule
    • Circulation
    • Unit Sizes and Rates
    • Mechanical Requirements
    • Electronic Advertising
    • White Papers
  • Subscribe
    • Print Edition
    • e-Messenger
    • White Papers
  • Events
  • Vendors
  • About Us