Cyber-thieves put hospital data on dark web
November 8, 2023
SARNIA, Ont. – A cyber-attack on southwestern Ontario hospitals has led to computer system outages at the hospitals and patient delays. The thieves have put a third set of patient data on the Internet’s ‘dark web’, but the hospitals have all refused to pay a ransom. The cyberattack on Oct. 23 affected IT systems at Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and Chatham-Kent Health Alliance. It has also delayed appointments for patients.
During a news conference in Toronto on Monday, minister of Health Sylvia Jones (pictured) said Ontario Provincial Police continue to investigate the cyberattack.
“Without a doubt, we are very concerned when any type of patient access is compromised and we continue to support those hospitals to make sure that as they work through finding out exactly where the breach was and … ensuring that doesn’t happen again,” Jones said.
A statement on the Transform SSO website reads, “We have made progress in evaluating the affected data and can share some preliminary conclusions.”
According to a CBC News report, the update from the hospitals comes after another set of sensitive patient data was released onto the dark web by the cybercriminal group that has claimed responsibility for the attack, according to the author of a site that tracks data breaches.
This is the third round of data that has been published after the five hospitals agreed not to pay a ransom.
The first round of data, which included scans of patient information like records and claims, was published on Nov. 1. The second round of data, published on Friday, included COVID-19 vaccine records including names and in some cases their reactions to vaccines.
This third round of data, according to DataBreaches.net – a blog that covers cyberattacks – was released on Sunday.
According to a blog, cybercriminal group Daixin says it has attacked the hospitals in southwestern Ontario and forced them to go dark. CBC’s Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.
CBC News has not independently verified the claims in the blog, but has verified the identity of the author of the website. An expert told CBC while the author, who uses the pseudonym Dissent Doe, has a track record of credibility, specific claims made by hackers should be taken with some skepticism.
The author of Databreaches.net says through email the cybercriminal group Daixin took responsibility for the attack last week.
The attackers targeted a Bluewater Health patient database report. They also were able to steal data from an operations file server that housed a segmented employee shared drive used by all our hospitals. The shared drive data included patient and employee information of varied amounts and sensitivity.
This incident has affected each institution differently. Some are less severely impacted than others. The stolen data is in many formats, some of which are easier to analyze. While the hospitals are sharing an update today, please understand that more work must be done to understand precisely which individuals and what data types were taken.
The following is an initial update on what is known to date. It is not a comprehensive report on the stolen data, as analysis remains ongoing. It is important to note this is not the official notification to individuals.
BWH can confirm the theft of a database report. The stolen data includes information about approximately 5.6 million patient visits made by approximately 267,000 unique patients. The stolen database report did not include clinical documentation records. BWH is still in the process of determining the precise individuals included in this database report and the data that was taken and will notify those affected in accordance with the law.
While it does appear that information pertaining to employees was affected to some degree, BWH has reached the preliminary conclusion that no employee or professional staff social insurance numbers or banking information was taken. Out of an abundance of caution, since Monday October 30, BWH has been distributing two years of complimentary credit monitoring to all employees and professional staff.
Chatham-Kent Health Alliance
CKHA’s Electronic Health Record was not affected by this incident. The impacted shared drive did contain some CKHA patient information that CKHA is currently analyzing.
CKHA can confirm the theft of an employee database report containing information about 1,446 individuals employed by CKHA as of February 2, 2021. If you were employed by CKHA on that date, CKHA believes that your data was taken, including name, address, social insurance number, gender, marital status, date of birth and basic pay rate. This database report does not appear to include professional staff or volunteers.” No banking information was stolen.
CKHA has been distributing two years of complimentary credit monitoring, on site, since Monday, October 30. CKHA will continue to provide this, on site, to current employees for the foreseeable future, and we encourage all employees to sign up. For those past employees included in the database report who have not signed up in person, CKHA will be mailing you a letter with your unique credit monitoring code and instructions.
Erie Shores HealthCare
ESHC’s Electronic Health Record was not affected by this incident. The impacted shared drive did contain some ESHC patient information that ESHC is currently analyzing.
ESHC has identified a limited set of stolen data that includes approximately 352 current and past employee social insurance numbers. As it does not appear that the entire workforce was affected, ESHC will be individually notifying those impacted. No banking information was stolen.
ESHC has been distributing two years of complimentary credit monitoring, on site since Monday, October 30. ESHC will continue to provide this, on site, to current employees for the foreseeable future, and we encourage all employees to sign up. For those past employees included in the affected data who have not signed up in person, ESHC will be mailing you a letter with your unique credit monitoring code and instructions.
Windsor Regional Hospital
A very limited portion of a shared drive used by hospital staff was accessed by the attackers. The preliminary review indicates that in the shared drive that was breached, some patients were identified by name only or some with a brief summary of their medical condition but not with any patient charts/electronic medical records.
While it does appear that information pertaining to employees was affected to some degree (i.e. staff schedules), WRH has reached the preliminary conclusion that no employee or professional staff social insurance numbers or banking information were affected. Out of an abundance of caution, since Monday October 30, Windsor Regional Hospital has been distributing two years of complimentary credit monitoring to all employees and professional staff.
Hôtel-Dieu Grace Healthcare
HDGH’s Electronic Health Record was not affected by this incident. The breached shared drive did contain some HDGH patient information that HDGH is currently analyzing.
While it does appear that some information pertaining to employees was stolen, HDGH has reached the preliminary conclusion that no employee or professional staff social insurance numbers or banking information were taken. Out of an abundance of caution, since Monday October 30, HDGH has been distributing two years of complimentary credit monitoring to all employees and professional staff.
All hospitals have some degree of patient and employee information affected. All of our hospitals are diligently investigating the stolen data to determine who is impacted. This difficult process will take time. All hospitals are committed to transparency and will provide regular updates as we learn more.
The teams continue to work around the clock to restore systems. In the coming days, we anticipate providing a timeline on the restoration of operations at our facilities.
We have reported these findings to the Ontario Information and Privacy Commissioner, and we are committed to providing all those affected with notification in accordance with the law.
A patient cybersecurity hotline has been established. For inquiries please call: 519-437-6212 (8 am to 11 pm Monday through Friday). Staff questions can be directed to their HR teams.
A statement on the Transform website reads, “We condemn the actions of cyber criminals, in the healthcare sector and elsewhere, in our communities and around the world. We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize.”