Ontario nurses' regulatory body investigating 'cybersecurity incident'

The College of Nurses of Ontario (CNO) has been dealing with a "cybersecurity incident" that may have compromised the personal information of its almost 200,000 members, CBC News has learned.

The name of the college and some of the information hackers say they have access toappears on a website associated with ransomware attacks. The information appears near a "secret data publication" countdown clock,which appears to give the college just over 12 days to respond to whatever demands the attackers have made.

The hack was discovered Sept. 8, but the college did not tell its members about it until this morning when it posted a statement on its websiteafter being contacted by CBC News.

The CNO has not responded to specific questions about the attack.

"CNO is seeking to determine whether personal information was compromised as a result of the incident," the college said in thestatement.

"Upon discovery of the incident on September 8, CNO took immediate steps to contain the incident and engaged a leading cybersecurity firm that is assisting with remediation and conducting a comprehensive forensic investigation."

Unions decry lack of transparency

But that's not good enough, say unions who represent the 195,500 nurses registered with the college whose personal information may now be accessible to hackers.

"Thousands of nurses in this province won't even know that this is taking place because you have to go to the website to find out, and this is our regulatory body, which holds a lot of personal information about each of its members," said Vicki McKenna, president of the Ontario Nurses Association (ONA), which represents 68,000 nurses.

"I'm outraged that I didn't know as a member of the college that this had happened," said McKenna, noting that she found out about the hack only after CBCinquired about it."That's just unacceptable."

Nurses use the website to renew their licences, which means they provide credit card information.

Some of the data released by the hackers on the ransomware site appears to show information that includes complaints and lawsuits by nurses, including their full names, home addresses and phone numbers. The folders the hackers appear to have accessed are labelled "Human Resources" and "Human Rights Matters."

McKenna said the ONA will contact its members about the possible breach of their personal information.

'Shameful' and 'unforgivable'

"It's unforgivable to wait to let people know. I think that's shameful," said Michael Hurley, the regional vice-president for CUPE, which represents registered practical nurses in Ontario.

"Most nurses are women, and in Canadian society, there's a significant problem with violenceagainst women. I'm concerned about who will have access to private information about these nurses, some of whom have restraining orders against their partners, or have partners who have expressed an intent to be violent."

CUPE also found out about the breach from CBC News. Hurleysaid he will reach out to the province, which oversees the regulatory body.

"The government needs to get on the College of Nurses, and tell it that it must immediately take steps to make this immediately known, so people can protect themselves and their identities," Hurley said.

The Registered Nurses Association of Ontario (RNAO)also found out about the breach from CBC News and will also contact its own members about it, said CEO Doris Grinspun.

"What is going on at the college that they're not disclosing this information?" Grinspun asked. "This breachhappened Sept. 8 and we just learned about it."

Until it was contacted by CBC News on Sept. 17, the college's website informed people the organization wasclosed because of "asignificant technical infrastructure issue" that was being investigated.

No reason to withhold: expert

The same group that has claimed responsibility online for the attack on the college has also attacked a number of American universities, saidBrett Callow, athreat analyst for the cybersecurity firm Emsisoft. One university paid more than $1 million to getbreached data back.

"Whatever information the college had for any individuals is now potentially in the hands of cybercriminals and could be misused, used to commit identity fraud, for example, or to commit various other types of frauds and scams," Callowsaid.

"Organizations should notify individuals whose data may have been compromised as soon as they possibly can. Atleast those individuals can then be on the lookout for suspicious account activity and so on.

"It's better to know that your data may have been compromised than to discover that it has been compromised when you receivea statement for a credit card that you never applied for."

Online databases that allow nurses to update their membershipwith the regulatory body, and allow members of the public to look up a nurse, have been unavailable since Sept. 8. The portal for nurses to apply to the CNO is also unavailable.

"The College of the Nurses of Ontario is in the process of resuming normal operations following a cybersecurity incident," the organization's statement said.