Queensway Carleton Hospital hit by data breach

OTTAWA – The Queensway Carleton Hospital sent out public notices of a data breach last week and is contacting patients individually. Up to 100,000 patients could be affected, the hospital said, and police have been notified.

Queensway Carleton Hospital said it stopped using the virtual care platform by the Canadian software company Aetonix Systems Inc. after learning in March that an unauthorized third party may have gained access to an “internal test environment”, where personal health information of Canadians patients had been temporarily stored.

“Following a thorough review of the incident, Aetonix’s forensic investigation has concluded that the incident may have resulted in your personal health information being accessed or copied by an unauthorized third party,” the hospital wrote in a notice to patients.

It is unclear whether the data breach extends beyond patients of Queensway Carleton Hospital. On its website, the software company mentions a number of health institutions as its clients – including Pinecrest Queensway Community Health Centre and Arnprior Regional Health, among others.

Neither Aetonix nor individual health organizations had responded to questions about the extent of the breach, the Ottawa Citizen reported.

In a statement, Aetonix said it believes that “all data uploaded to our aTouchAway platform by Canada-based healthcare providers, patients and/or their caregivers prior to and including February 23, 2023, which was subsequently copied into the test environment, may have been compromised.”

It is unknown how many people that could include, but the company said it is working with privacy commissioners and ombudsmen’s offices in Ontario, Quebec, Manitoba and Alberta.

On its website, Aetonix says it is used globally by 250 hospitals and tens of thousands of patients. The Ottawa-based company was founded in 2014 by Michel Paquet, a high-tech executive who was looking for solutions to his own family’s health issues.

His 83-year-old aunt was suffering from Alzheimer’s disease and was finding it difficult to communicate, leading to problems with care and feelings of isolation.

His aim was to provide simple solutions to complex care management, especially for patients in remote locations, and to make virtual hospitals possible, according to a 2020 Ottawa Citizen column by Brigitte Pellerin. The pandemic brought greater interest to the company’s virtual services.

The company says there has been no impact to patient data outside of Canada “and we are not aware of any misuse of patient information.”

Law enforcement was notified on March 17, the company said.

The company’s investigation identified that data for certain patients over the past two years may have been accessed from the Aetonix cloud platform. Queensway Carleton Hospital contracted with the company in March 2021 to provide virtual communications services and remote patient monitoring, among other tools to support patients. As part of that contract, information was sent from QCH to an Aetonix cloud server.

The investigation by Aetonix could not confirm whether any unauthorized person actually viewed or copied the patient information.

“We want to stress that neither QCH nor Aetonix are aware of any misuse of this information,” said the hospital. It added that Aetonix “continues to monitor the Internet for any activity and potential misuse of the data.” QCH said it will share updates on its website.

Data potentially accessed could include: demographic information including the patient’s name, gender, date of birth, marital status and mother tongue; home addresses, phone numbers, and email addresses; OHIP numbers; insurance policy numbers; health care providers; patient ID numbers; patient visit ID numbers; scheduled surgical dates; past medical history and procedure description.

The hospital said it will communicate individually with patients about information that was potentially impacted.

“We understand that this can be worrisome. Please know, there is no indication that any information has been misused.”

Aetonix describes the “test environment” that is the focus of the data breach as an interface in which software engineers and other members of the testing team can test new or existing software or new features before they are released to customers.