5 hospital CEOs report on impact of ransomware
November 22, 2023
WINDSOR, Ont. – CEOs of the five southwestern Ontario hospitals hit by a ransomware attack answered questions from the media last week, acknowledging the significant impact the incident has had on care, as well as the large amount of stolen data. The hospital CEOs also stood behind IT provider TransForm, saying they are “confident” the group is working hard to get systems back online, with a priority on clinical services.
“We apologize for this. And we apologize for the inconvenience this has had and the issues this has caused for the patients in our community,” said Windsor Regional Hospital CEO David Musyj.
“But I can tell you individually and collectively, our focus is on them and our focus is on our staff to regain that trust.”
Bluewater Health in Sarnia said that without access to its systems, “there has been an impact on our families and patient experience,” CEO Paula Reaume-Zimmer said urgent and emergency cases have been prioritized, and as a result, their diagnostic imaging department has had to cancel more than 3,500 appointments, causing a “significant and growing backlog.”
It’s unclear how long patients will be waiting to get their appointment, she said.
She added that staff have been notifying patients of changes to their appointments, but in some cases, the patient hasn’t been told until they have arrived at the hospital.
She also said labs in the Sarnia and Petrolia regions are deferring walk-in, non-urgent cases to deal with emergent ones.
Out of all the affected facilities, Bluewater Health has had the greatest amount of patient information leaked onto the dark web. As a result of the cybercriminals gaining access to a patient database, information on all of Bluewater Health’s 267,000 patients who have attended the facility, and its predecessors, since 1992 has been compromised.
Since Friday, staff have been reaching out to about 20,000 patients who have had their social insurance numbers (SINs) compromised. Reaume-Zimmer said there is still additional stolen information that they are still investigating.
Windsor Regional Hospital
Windsor Regional Hospital CEO David Musyj said diagnostic imaging and their curative radiation treatments took the largest hit during this attack.
Musyj said the number of diagnostic imaging appointments for a CT scan or MRI that need to be rescheduled are “into the thousands.” For other imaging, he said, they are working to get these appointments done through community partners.
He added though surgeries were postponed, they got back on track a few days after the cyberattack. As of Friday, the hospital said its curative radiation treatments are back up to full capacity.
The hospital said that for patients who had to go elsewhere to get their treatment, they are being told to complete their treatment at the location they started at for continuity of care and to avoid further delays.
On Nov. 6, the hospital said in a news release that some patient data was breached and that included their name and a summary of their medical condition. It had also said some employee information was impacted, though that doesn’t appear to include SIN or banking information.
Hôtel-Dieu Grace Healthcare
Services and programs at Windsor’s Hôtel-Dieu Grace Healthcare, according to CEO Bill Marra, have not been impacted by the cyberattack. He added that while there has been some efficiency and timing issues, all of their inpatient and outpatient programs have been running.
Marra said the hospital is only aware of an employee database being stolen, which included information on 1,396 current and former employees. These are workers who started their employment at the hospital as of Nov. 4, 2022.
Full names, SINs and basic rates of pay were stolen, according to Marra, who added that they aren’t aware of any banking information having been taken. He said these people will be receiving a letter in the mail.
“Our resiliency has been once again tested by way of a crisis and once again we demonstrated that we put our people, our patients, our clients and our community first,” he said.
Erie Shores Healthcare
Kristin Kennedy (pictured), CEO of Erie Shores Healthcare in Leamington, said the biggest impact has been on their diagnostic imaging, with ultrasounds, CT scans and mammograms having to be rescheduled. Some of these appointments have been delayed by six weeks.
X-rays and nuclear tests, according to Kennedy, have continued. By the end of November, Kennedy said, they anticipate that full capacity for imaging will be restored and that by the end of December, services will have fully resumed.
Kennedy said the reason for the delays is that radiologists have limited capacity to read the images.
She said to mitigate this issue, they are creating a separate system to “fill the current gap,” and this system will provide “redundancy” that will protect the imaging services against similar issues in the future.
The information of 350 current and previous staff members was stolen, according to Kennedy. In particular, she said, their names and SINs have been taken. The employees worked during two pay periods, June 2019 and January 2020.
She added that banking information is not part of this. Kennedy said they are still looking at remaining data that might have been leaked.
Chatham-Kent Health Alliance
CEO Lori Marshall said that in the first few days of the attack, surgeries and procedures were rescheduled, but since then, the hospital has returned to “more normal” volumes.
The hospital said it has deferred new chemotherapy patients to London, but will transition those patients back once their systems are up and running.
Stroke patients have also been sent via ambulance to either Windsor Regional Hospital or London Health Sciences Centre.
Marshall said the hospital is relying on community partners to help them do imaging, but cancer patients with imaging needs are being sent to London.
“In times like these, it is easy to feel overwhelmed and frustrated and vulnerable. The impact of the cyberattack extends far beyond the digital realm and when it affects an institution like a hospital, we know that it has real-life impacts,” she said.
As for the data that has been leaked, Marshall confirmed a database report containing information on about 1,446 employees, who started working at the organization as of Feb. 2, 2021, was breached.
The information stolen includes names, addresses, SINs, gender, marital status, date of birth and pay rates. Marshall said no banking information was taken. Marshall said these employees would be notified by the end of this week and early next week.