Privacy & Security
SW Ontario hospitals facing $480 million class action
December 6, 2023
SARNIA, Ont. – A group of southwestern Ontario hospitals is facing a potential $480-million class action lawsuit after at least 270,000 patients in the region had their data breached and reportedly sold by hackers on the dark web.
The breach, first detected on Oct. 23, targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Windsor Regional Hospital, and TransForm Shared Service Organization, which operates technology systems for the hospitals.
The lawsuit was launched by a patient of Bluewater Health but is being filed on behalf of all Ontario residents who were or are patients of any of the five hospitals.
A statement of claim obtained by CTV News argues that the hospitals failed to adequately protect patient records. The statement of claim goes on to state that the patients are enduring “serious and prolonged mental distress” as a result of the breach.
“The defendants did not employ adequate or effective cyber security measures which resulted in unknown individuals illegally gaining access to their computer network, data, digital storage, digital files, and computers,” the document alleges.
“The information which was invaded, including but not limited to personal health information, is highly sensitive and personal, and a reasonable person would consider the invasion to be highly offensive causing anguish, humiliation, and/or distress,” it continues.
The social insurance numbers of 20,000 Bluewater patients were collected during the attack, alongside names, addresses, phone numbers, dates of birth, and reasons for visits to healthcare facilities. Any patient who registered for treatment after Feb. 24, 1992, was compromised.
A group called Daixin Team has claimed responsibility for the breach.
In November, the hospitals acknowledged the data had been published on the ‘dark web’ after they refused to bend to ransom demands from the hackers, a number purported to be in the millions. Those claiming to be responsible have since said they have sold the “full leak” of stolen data.
A statement of defence has not been filed in the civil proceedings. When reached for comment, the hospitals issued a joint statement confirming they had received the lawsuit.
“As this is now a legal matter before the courts, we will not be commenting. Please visit our website for updates on the cyber attack and restoration of services,” the statement reads.
The Ontario Provincial Police, alongside the United States Federal Bureau of Investigation, have also launched a criminal investigation into the incident.
Speaking with CTV News, the lawyer for the plaintiffs, Marielle Dahab of Dahab Law, said to CTV News that while the hospitals were themselves victims of the breach, they ultimately failed to protect their patients’ information.
“The ultimate victim is the patient, not the hospital,” she said. “It wasn’t the hospital’s information that’s been leaked out there.”
In preparing and serving the lawsuit, Dahab said she heard from many of the affected patients.
Dahab said that, ultimately, the parties are hoping their action can help others think more critically about data protection.
“We’re hoping that this changes the way people are looking at data – taking it lightly and depending so much on IT companies to protect them from liability,” she said. “You protect your data.”