Ontario government still silent after hospital ransomware attacks

Six days after being asked for comment, the government of Ontario is still considering a public response to recent cyber attacks on hospitals in the province.

Last week, an IT World Canada reporter asked for comment from the Ministry of Public and Business Service Delivery on the ransomware attack on five southwestern Ontario hospitals that share an IT services provider, and a cyber attack on a Toronto hospital.

However, while a spokesperson for the department says it is considering a response, none has been received.

The request was made to the ministry because last year it received a report from an expert panel on cybersecurity in the provincial broader public sector, which includes hospitals, municipalities and school boards. In response to that report, the government said it “accepted recommendations outlined in the final report.” However, no timeline for implementing the recommendations was given.

“Work is underway to assess and implement measures that will improve and strengthen the province’s cyber security ecosystem,” the government said at the time.

In the initial request for comment on Nov. 9, the department was asked for an interview with Minister Todd McCarthy. We were told he was not available, and were asked to submit written questions. Those questions include asking what the government has been doing since it learned of the attacks, and whether these successful attacks meant these incidents are evidence that the government hasn’t done enough to improve cybersecurity in the broader public sector.

The Nov. 9 request for comment came after the provincial information and privacy commissioner said it has opened an investigation into the ransomware attack on the southwestern Ontario hospitals.

Asked yesterday when a response is coming, Jeffrey Stinson, the department’s digital and social media advisor, replied in an email that the department is “working to address your questions and provide a fulsome response as soon as possible.” Over 24 hours later there was still no response.

The ransomware attack by Daixin Team through IT provider TransForm Shared Service on the five hospitals — Bluewater Health of Sarnia, Chatham Kent Health Alliance, Erie Shores HealthCare of Leamington, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital — took place on Oct. 23.

The hospitals are still weeks away from full recovery of IT-related services. According to CBC News, Windsor Regional Hospital is manually processing pay for thousands of staff — and is warning employees there may be errors.

According to The Windsor Star, stolen data publicly posted by the ransomware gang contains what it calls deeply personal information about hundreds of hospital patients. The news service also said Windsor Regional Hospital had to send cancer treatments to Kitchener as a result of the attack.

Separately, Toronto’s Michael Garron Hospital said it had suffered a cyber attack. In a Nov. 8 update, the hospital said it didn’t pay a ransom. It said some personal data of hospital employees and credentialed clinicians employed from January 2015 to November 2023 was stolen. The information includes home addresses, social insurance numbers, bank account numbers (for employees on direct deposit) and earnings information for affected employees and home addresses, social insurance numbers and earnings information for affected credentialed clinicians.