Ontario privacy commissioner investigating hospital group ransomware attack

Ontario’s privacy commissioner is looking into the ransomware attack that hit five hospitals linked to a common shared IT provider.

“Our office is actively investigating the recent ransomware attacks on the affected hospitals in Southwestern Ontario,” the Office of the Information and Privacy Commissioner of Ontario said in a statement Thursday. “We intend to issue a public report of our findings.”

The statement comes after IT provider TransForm Shared Service Organization of Chatham and southwestern Ontario heathcare customers — Bluewater Health of Sarnia, Chatham Kent Health Alliance, Erie Shores HealthCare of Leamington, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital — revealed they were struck by the Daixin Team ransomware group on Oct. 23.

Data stolen includes a Bluewater Health patient database report on millions of patient visits involving 267,000 people seen at the hospital up to February, 1992. Although the report doesn’t include clinical documents about those patients, it does include names, addresses and dates of birth. An update today issued by Bluewater Health says of those 267,000 people, the report includes the Social Insurance numbers of 20,000 patients.

Also among the data stolen was a Chatham Kent Health Alliance employee database report containing information about 1,446 individuals employed there as of February 2, 2021. Data included name, address, Social Insurance number, gender, marital status, date of birth, and basic pay rate.

The ransomware gang has been releasing the stolen data publicly after the organizations refused to pay a ransom.

More critically, the attack has crippled the delivery of hospital services. Crucial medical charts of patients won’t be restored until mid-December, more than two months after the attack.  Clinical applications will come back online one by one, or in clusters, also by the middle of next month, TransForm says.

In an update today, Hôtel-Dieu Grace Healthcare says it has to revise a preliminary estimate given three days ago of what was stolen. It now says a database report containing information about 1,396 non-professional individuals employed as of November 4, 2022, as well information on some former employees, was taken. That report includes name, Social Insurance number, and basic pay rate.

In its statement, the Ontario privacy commissioner’s office noted it has issued a guideline to the provincial healthcare sector on how to respond to a privacy breach, which includes steps on how to avoid a breach.

The statement came after IT World Canada asked if the privacy commissioner will start an investigation. “In today’s rapidly evolving digital landscape, cyberattacks have become an increasing threat to the security of personal information and electronic records,” the statement says. “Health care organizations are an attractive target for cyber criminals because of the large amount of personal health information in their custody and control. Cyberattacks not only jeopardize data security, but can also disrupt the normal functioning of healthcare facilities, adversely impacting patient care. Given the sensitivity of personal health information, privacy breaches can have devastating impacts for individuals, ultimately undermining trust in the health care system.

“To mitigate these risks, health information custodians must continually invest in robust information technology security measures. They must have proactive measures in place for early threat detection and ensure that these systems are continually updated to meet security industry standards and best practices. Ongoing cybersecurity education and training are also crucial to empower staff to recognize and respond effectively to cyber threats.”

The ransomware attack on the group that uses TransForm comes just over a year after Ontario was warned that some institutions in the broader public sector — which includes hospitals, municipalities and school boards — are struggling with cyber security.

In October 2022, an expert panel reported there has been a “systemic underinvestment in both legacy technology replacement and cybersecurity” in the broader public service.

A key recommendation was that the province create a single body to oversee cybersecurity across the entire broader public service, dispensing advice and demanding accountability. It would augment current governance structures responsible for sector-specific cyber security risks.