Patient information, including reasons for visits, dating back three decades from Bluewater Health in Sarnia, Ont., and its predecessor hospitals is among data confirmed stolen in cyberattack on five southwestern Ontario hospitals .
Transform, the hospital’s IT provider, now confirms that a database report containing information on 267,000 patients was taken. The report includes details about “every patient” seen at Bluewater Health and its predecessors since February 24, 1992.
Those predecessor institutions are:
- Lambton Hospital Group.
- Bluewater Health Charlotte Eleanor Englehart Hospital.
- Sarnia General Hospital.
- Saint Joseph’s Hospital.
“We condemn the actions of cybercriminals, in the healthcare sector and elsewhere, in our communities and around the world,” Transform said in a statement Thursday distributed by hospitals.
“We understand the concern this incident has raised in our communities, including patients and our employees and professional staff, and we deeply apologize.”
The database report pulled from Bluewater Health includes names and addresses, as well as the reason for the visit and “general notes on previous registrations,” among other personal information.
SEE | The group claiming to be behind the cyberattack says of how it reached Ontario hospital systems:
According to a blog, the cybercriminal group Daixin says it attacked hospitals in southwestern Ontario and forced them to close their doors. CBC’s Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.
According to the hospitals, the social security numbers of about 20,000 patients at Bluewater Health and other hospitals were also stolen.
Individuals whose Social Security numbers were included in the database report will be contacted directly and the hospital will provide two years of free credit monitoring services.
The hospitals now also say they have reviewed information about data stolen from Hôtel-Dieu Grace Healthcare in Windsor.
“Unfortunately, HDGH can confirm the theft of an employee database report containing information on approximately 1,396 individuals employed by HDGH as of November 4, 2022, and some former employees,” the hospitals said in a statement.
Employee data includes names, social security numbers, and base salaries. The theft does not appear to involve professional staff or volunteers, and no banking information was stolen.
The hospital had previously said some employee data had been stolen, but no social security numbers were taken.
The hospital offers two years of on-site credit monitoring to current employees, and for former employees who have not signed up in person, the hospital will send a letter in the mail.
According to the statement, the three other hospitals affected by the Oct. 23 cyberattack — Erie Shores HealthCare, Chatham-Kent Health Alliance and Windsor Regional Hospital — had no further updates to share. In a previous update on stolen data, the hospitals said Social Security numbers were stolen from more than 1,400 patients at Chatham-Kent Health Alliance.
The hospitals say some of the information obtained in the hack was posted online after they refused to pay a ransom.
Sharon Polsky is the president of the Privacy and Access Coalition of Canada, the governing body for professionals working in privacy and data protection.
He questions why patient information was kept in an accessible database for 30 years.
The implications are broad: Polsky said she would also be concerned about recently born people, whose data may be compromised but not discovered until much, much later, such as when they apply for their first credit card.
“I will have questions. Why are social security numbers collected from patients? Maybe there is a valid reason. I can’t think of one… I certainly would have questioned it if I had gone to the hospital and they asked me for my social security number “.
Polsky says he would like to see organizations mandated to report information breaches, such as cyberattacks, in a publicly accessible database.
“Our view is that that would give people, who must give informed consent before the organization collects their information, the ability to make an informed decision,” he said.
“If I can find out that Hospital A has never reported a breach, Hospital B next door has reported one, two, 10 breaches in a month or a year, a decade, then I can make a more informed decision about where to take my business, whether it’s a hospital or the store.”
The hospitals said they reported the findings to Ontario’s Information and Privacy Commissioner and said “those affected have the right to file a complaint with the Ontario Information and Privacy Commissioner.”
A patient cybersecurity hotline has also been established for patient questions. He can be reached from 8 am to 11 pm Monday through Friday at 519-437-6212.”