Info from 5.6 million patient visits among data stolen in ransomware attack on Ontario hospitals

A database containing information on 5.6 million patient visits to Bluewater Healthand the social insurance numbers of as many as 1,446 Chatham-Kent Health Alliance employees are among thedata taken in the ransomware attack on five southwestern Ontario hospitals, officials said in a lengthy update Monday.

The update including specific information about what was stolen from each hospital comes after somedata was published by the hackers online.

"All hospitals have some degree of patient and employee information affected," the hospitals said in a joint afternoon statement."All of our hospitals are diligently investigating the stolen data to determine who is impacted."

Thecyberattackon Oct. 23 hasled to a system outage involving patient records, email and moreat Windsor Regional Hospital, Erie Shores HealthCare, Htel-Dieu GraceHealthcare, Bluewater Health and Chatham-Kent Health Alliance.It hasalsodelayed appointments for patients.

Neither the hospitals nor TransFormthe hospitals' IT and payroll administration organization, which is at the centre of the attackhave paid ransom demanded by attackers.

TransForm says anyone whose data has been compromised will be contacted directly.

According to the joint statement from the hospitals, attackers were able to steal data from a shared file server that included patient data of "varied amounts and sensitivity."

"The stolen data is in many formats, some of which are easier to analyze," officials said in their statement.

Also targeted was a Bluewater Health patient database report.

Not stolen in the attack are databases related to employee payroll, accounts payable, electronic health record information at hospitals other than Bluewater Health and donor information.

The hospitals calledthe information releasedMonday "an initial update on what is known to date," saying that analysis is still ongoing.

Hospitals summarize known extent of breach

• Bluewater Health in Sarnia: The stolen database reportincludes information on 5.6 million visits made by 267,000 unique patients. The hospital says it is still determining the specific individuals included in the report andit did not include clinical documentation records. Employee and staff SIN and banking information was not taken.
• Chatham-Kent Health Alliance: An employee database that contained information about 1,446 employees working at the hospital as of Feb. 2, 2021, was taken. That information includes names, SINs, addresses and rates of pay, among other basic personal information.But thedatabase did not include professional staff or volunteers. No banking information was stolen.The CKHA's electronic health record was not affected, but a shared drive did contain some patient information still being analyzed by the hospital.
• Erie Shores HealthCare in Leamington: A"limited set" of stolen data includes 352 current and past employee social insurance numbers (SIN). The hospital says its entire workforce was not affected, so impacted employees will be notified directly. No banking information was stolen.
• Windsor Regional Hospital: Officials say a limited portion of a shared drive used by staff some patients were identified, either by name only or with a brief summary of their medical conditions. The information does not include any patient charts or electronic medical records.Information pertaining to some employees, like staff schedules, was affected, but WRH believes no SINsor banking information was taken.
• Htel-Dieu GraceHealthcarein Windsor: The breached shared drive included some patient information the hospital is still analyzing.Some employee information was stolen, but the hospital says that does not includeSINs or banking information.

The hospitals are all offering free credit monitoring to their employees and professional staff. Past employees whose information may have been affected, like at CKHA, can sign up in person at the hospital or will receive a letter with instructions.

The hospitals said they anticipate an update on the restoration of systems in the coming daysand they have reported findings to the Ontario Information and Privacy Commissioner.

The hospitals have set up a cybersecurity hotline for questions from patients, at 519-437-6212, with hours from 8 a.m. to 11 p.m. Monday to Friday. Staff can direct questions to their HR teams.

"We condemn the actions of cybercriminals, in the health-care sector and elsewhere, in our communities and around the world," officials said. "We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize."

Cybercriminal group exposes new batch of data: blog

The update from the hospitals comes afteranother bunch of sensitive patient data was released onto the dark webby thecybercriminal group that has claimed responsibility for the attack, according to the author of a site that tracks data breaches.

This is the third round of data that has been published after the five hospitalsagreed not to pay aransom.

The first round of data, which included scans of patient information like records and claims,was published on Nov. 1. The second round of data, published on Friday, included COVID-19 vaccine records including namesand in some cases their reactions to vaccines.

This third round of data, according to DataBreaches.net a blog that covers cyberattacks was released on Sunday.

WATCH | Cybercriminal group claims responsibility for hospital attack:

Cybercriminal group claims responsibility for ransomware attack on hospitals

10 months ago

Duration 3:19

According to a blog, cybercriminal group Daixin says it has attacked the hospitals in southwestern Ontario and forced them to go dark. CBC's Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.

CBCNews has not independently verified the claims in the blog, but has verified the identity of the author of the website. An expert told CBCwhile the author, who uses thepseudonym Dissent Doe, has a track record of credibility,specific claims made by hackersshould be taken with some skepticism.

The author of Databreaches.net says through email thecybercriminal group Daixintook responsibility for the attack last week.

According to Dissent, the third round of data includes some personnel information, sensitive patient information and IT-related data.

They say this involves discharge data on patients between 2013 and 2015, as well as survey responses, patient complaints and internal hospital reviews that have been done.

Dissent writes that their description of what data was leaked is "intended to remind the public what can happen when threat actors can gain access to a network and why entities need to really evaluate whether they have adequate security for sensitive files."

Dissent adds in their blog that there is still another part of the data that Daixin hasn't yet dumped and that is databases.

During a newsconference in Toronto on Monday, Minister of Health Sylvia Jones said Ontario Provincial Police continue to investigate the cyberattack.

"Without a doubt, we are very concerned when any type of patient access is compromised and we continue to support those hospitals to make sure that as they work through finding out exactly where the breach was and ... ensuring that doesn't happen again," Jones said.