Data thieves demanding ransom of CarePartners

TORONTO – Thieves who obtained the detailed medical histories and contact information of possibly tens of thousands of home-care patients in Ontario are demanding a ransom from CarePartners, the organization from which the data was taken.

CBC News says it was contacted by the thieves and sent a sample of the data that was allegedly accessed.

The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.

Another document appears to contain more than 140 active patient credit card numbers and expiry dates, many with security codes.

The attackers claimed the sample was a subset of hundreds of thousands of patient records and related materials in their possession dating back to 2010.

The group wants a ransom in return for telling CarePartners how to fix its system breach. “We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” they told CBC News.

CarePartners did not answer questions about the ransom, and it is not clear if or when the data will be posted online.

Under Ontario’s Personal Health Information Protection Act, healthcare providers are required to “take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information” and ensure that health records are retained securely under Ontario law – but there is nothing that says data stored on computers or servers must be encrypted.

Violations of the act can lead to prosecution. If found guilty, companies can be fined up to $500,000, while individuals may be fined up to $100,000.

In a statement, CarePartners said it was contacted by the attackers via email on June 11, with an attachment later verified by the company to contain an authentic sample of patient and employee data. A week later, on June 18, CarePartners released a news release notifying patients of the breach.

The sample of employee information viewed by CBC News contained T4 tax slips, social insurance numbers, bank account details and plaintext passwords. CarePartners said it notified affected employees directly.

The company says its forensic investigation has so far identified 627 patient files and 886 employee records that were accessed. But the sample provided to CBC News appears to contain names and contact information for more than 80,000 patients alone.

CBC News contacted ten patients whose records were included in the provided sample and confirmed they had been patients of CarePartners. Each said they had not been directly notified by CarePartners and were unaware there had been a breach.

Former patient Arthur Redublo (pictured) told CBC News it was “very troubling to know it was that easy to gain that information.” He said whatever steps had been taken to secure his information “obviously wasn’t enough.”

CarePartners said it had “proactively notified those patients whose records were inappropriately accessed” in conjunction with Ontario’s local health integration networks (LHINs) – Crown agencies established by the provincial government that contract with companies like CarePartners to provide home-care services such as nursing.

“The maximum extent of any breach with respect to patient information is the approximately 237,000 patients for which CarePartners has provided care and collected information,” the company said.

In a statement, the Office of the Information and Privacy Commissioner of Ontario said it is investigating.

The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed.”

“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group told CBC News. “None of the data we have was encrypted.”

While Ontario’s privacy commissioner requires that personal health information be encrypted when stored on mobile devices, there is presently no similar requirement for desktop computers or servers.

“Encryption is one piece of the puzzle,” said lawyer Mary Jane Dykeman, a partner with the Toronto-based boutique firm DDO Health Law. “But it’s also possible that you hold information in a repository or in a system where, in and of itself it’s not encrypted, but you have a secure perimeter, if you will. You have a fence around it that people can’t just walk through.”

The attackers compared their work to corporate bug bounty programs, where some companies will pay security researchers in exchange for finding vulnerabilities in their systems. But this comparison is not especially accurate, as participants in these programs typically do so with the company’s permission, and with strict rules around handling any sensitive data they encounter on the way.

CarePartners said it “takes the safeguarding of personal health and financial information seriously” – regularly updating its systems, and relying on a “leading third party” to manage its computers and networks.