Southwestern Ontario hospitals over a month away from restoring full service as IT network rebuilt

The five southwestern Ontario hospitals and their shared services provider hit by ransomware won’t be able to restore full IT services — including rebuilding the IT network — for over a month, if not longer, according to a statement from the affected institutions.

In fact, crucial medical charting of patients won’t be restored until mid-December, more than two months after the attack.  Clinical applications will be coming back online one by one or in clusters also by the middle of next month.

“Our experts have advised us that the safest route is to rebuild the network,” the statement says.

The Daixin Team ransomware group claims responsibility, and has been publishing stolen data after the institutions refused to pay a ransom.

Not all of the data the institutions held was copied. However, in a statement today, the victims said in some way all clinical and non-clinical systems were impacted at the group.

It includes Bluewater Health of Sarnia, Chatham Kent Health Alliance, Erie Shores HealthCare of Leamington, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital, along with shared services provider TransForm Shared Service Organization.

The statement says it could take “a number of months” before the names of people whose data was stolen are confirmed.

As of today, medical staff have either no or partial access to past patient records or medical history, patients’ current medication list, reports from other clinicians involved in care, or pre-admission workups. For that reason, patients are asked to bring their health card with them, even if they have previously received treatment at one of the impacted healthcare institutions.

As for systems that are functional, the statement says they are slower than usual and require extra time to work. As a result access to labs and diagnostic imaging is affected.

Some physicians may cancel medical procedures if they are missing important information,  the statement warns.

The network and services restoration is being done in four phases: Containment of the attack, which is the only stage complete; forensic identification of the cause of the attack; remediation (including strengthening and adding additional protections to the network); restoration of applications and systems; and continuous network monitoring.

The attackers didn’t get hold of the following databases: employee payroll, accounts payable (including vendor payments or payments to professional staff), donor information, or the electronic health records for four of the five institutions.

However, what the attackers were able to copy is significant and includes:

— a Bluewater Health patient database report on millions of patient visits involving 267,000 people. However, it doesn’t include clinical documents about those patients;

— data from an operations file server that housed a segmented employee shared drive used by all of the hospitals. The shared drive data included patient and employee information of varied amounts and sensitivity;

— a Chatham Kent Health Alliance employee database report containing information about 1,446 individuals employed there as of February 2, 2021. Data included name, address, social insurance number, gender, marital status, date of birth, and basic pay rate. This database report does not appear to include professional staff or volunteers;

— the impacted shared drive has some information on patients at Erie Shores HealthCare and social insurance numbers of 352 current and past employees;

— a “very limited portion of a shared drive used by hospital staff” at Windsor Regional Hospital was accessed by the attackers. A preliminary review shows some patients were identified by name only or some with a brief summary of their medical condition, but not with any patient charts/electronic medical records. Information pertaining to Windsor hospital employees was affected to some degree (such as staff schedules); a preliminary conclusion is that no employee or professional staff social insurance numbers or banking information were affected.

— employee and medical staff information on the shared drive from Hôtel-Dieu Grace Healthcare was stolen, but a preliminary investigation suggests no social insurance numbers or banking information was copied.