Privacy & Security
SW Ontario hospitals report on stolen patient records
April 10, 2024
SARNIA, Ont. – Starting this week, five hospital networks impacted by a ransomware attack last October will begin mailing roughly 326,800 letters to patients whose personal information – including roughly 20,000 social insurance numbers – was stolen. The hospitals are all in southwestern Ontario.
Representatives from Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital held a news conference last week to announce the total patient impact and provide an update on recovery efforts.
They noted that some individuals may receive more than one letter if their information was compromised at more than one hospital. In total, 82,000 patients were impacted at Bluewater Health, 69,000 at CKHA, 102,000 at Erie Shores HealthCare, 46,000 at Hôtel-Dieu Grace Healthcare and 27,800 at Windsor Regional.
Social insurance numbers were only taken from patient files at Bluewater Health in Sarnia and Petrolia, amounting to roughly 20,000. President and CEO Paula Reaume-Zimmer (pictured) said patients whose SIN was compromised will be provided with credit monitoring.
“While operations are beginning to normalize, we are at the same time working diligently with TransForm (Shared Service Organization) to convert to a regional instance of Oracle Health in the fall, which will provide Bluewater Health with an advanced health information system aimed to improve clinical processes and digital security.”
The cyberattack’s impact on clinical systems resulted in a backlog of roughly 9,000 diagnostic imaging appointments like CT scans, X-rays and MRIs at Bluewater Health. Reaume-Zimmer said all of those appointments have been rebooked and the hospital “is continuing to work on the referrals that have occurred since then.”
Additionally, the ransomware impacted lab work at Bluewater Health, though it is unclear how many patients had to be diverted to third-party labs because many of those appointments would have been set up through primary health care offices and not through the hospital system.
At CKHA in Chatham and Wallaceburg, president and CEO Lori Marshall said the types of data stolen were not medical records from patient health records but instead information like names, addresses, treatment names, diagnosis names and appointment dates. She added that very few health card numbers were stolen and that key critical systems impacted by the cyberattack have now been fully restored.
“Work is well under way” to restore “the remaining subsidiary systems across both the clinical and administrative areas” by the end of June, she added.
“Much work has been done to date to enhance our cyber security measures, to ensure we can better defend ourselves against these types of attacks.”
Erie Shores HealthCare CEO Kristin Kennedy said information taken from the hospital in Leamington mainly centred on registration reports and administrative reports stolen from a restricted share drive. The data included patient name only or a combination of information including address, date of birth, health card number “and a generic reason for a patient visit.”
Kennedy said financial information was not part of the patient breach and medical records were not accessed.
“We’ve been working around the clock to mitigate clinical impacts. Our most impacted systems within diagnostic imaging are now all restored.”
Hôtel-Dieu Grace Healthcare president and CEO Bill Marra said stolen information from the hospital in Windsor’s west end included names, dates of birth, locations of care, diagnoses, treatment information and/or health card numbers.
“What I want to underscore, and what is very important, is that the actual patient records were not accessed,” he said.
“I am proud today to state that most of the system restoration has occurred … There was no delay in patient care or patient program closures or services throughout any of the period since Oct. 23.”
Windsor Regional Hospital, which has both the Ouellette Campus and the Metropolitan Campus in Windsor, said patient health records and financial information were not impacted. The breach there was of information from admissions, census and assignment sheets saved to a shared drive that clinical staff access when they do their rounds, in other words, visit with patients. The data included items like a patient’s name, what room they were in and possibly their “general” diagnosis.
“Systems have been largely restored at Windsor Regional Hospital, save for some ancillary systems. We have to ensure when bringing these systems back up, that the security is verified by a third party,” CEO David Musyj said.
“Lessons will be learned, applied and shared with others.”
Musyj was also asked about the status of the hospital’s cancer programs, as some patients had been referred to other organizations while the hospital dealt with the fallout from the attack. Musyj was unable to provide an exact date, but said they’ve been back to “normal operations with respect to our cancer patients” for “quite some time.”
He also took the opportunity to praise collaboration in the healthcare system, even across the border into the United States, during this time.
“Everyone pulled together – from the ministry, (Ontario Health), other Ontario hospitals, even Michigan hospitals – to make things very seamless for our patients. And that shows the system does work. And we really appreciate the patients themselves, their tolerance during this difficult time, getting the systems back online for cancer patients.”
When asked whether the cyberattack raised concerns about the safety and security of using a shared IT service provider, Marshall with CKHA said “we remain committed to a shared service program amongst the five hospitals for efficiency and optimization.”