Data on 267,000 Sarnia patients going back 3 decades among cyberattack thefts at 5 Ontario hospitals
Bluewater Health data includes patient names and reasons for visits
Patients' information — including the reasons for their visits — going back three decades from Bluewater Health in Sarnia, Ont., and its predecessor hospitals is among the data confirmed stolen in the cyberattack on five southwestern Ontario hospitals.
Transform, the hospital's IT provider, now confirms a database report containing information on 267,000 patients was taken. The report includes details about "every patient" seen at Bluewater Health and its predecessors since Feb. 24, 1992.
Those predecessor institutions are:
- Lambton Hospitals Group.
- Charlotte Eleanor Englehart Hospital of Bluewater Health.
- Sarnia General Hospital.
- St. Joseph's Hospital.
"We condemn the actions of cyber criminals, in the health-care sector and elsewhere, in our communities and around the world," Transform said in a statement Thursday that was distributed by the hospitals.
"We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize."
The database report taken from Bluewater Health includes names and addresses, as well as the reason for the visit and "general notes on prior registrations" among other personal information.
WATCH | What group claiming it's behind cyberattack says about how it got into Ontario hospital systems:
According to a blog, cybercriminal group Daixin says it has attacked the hospitals in southwestern Ontario and forced them to go dark. CBC's Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.
Social insurance numbers for about 20,000 patients at Bluewater Health and the other hospitals were also stolen, the hospitals say.
People whose social insurance numbers were included in the database report will be contacted directly and the hospital will provide two free years of credit monitoring services.
The hospitals now also say they have revised information about the data stolen from Hôtel-Dieu Grace Healthcare in Windsor.
"Unfortunately, HDGH can confirm the theft of an employee database report containing information of about 1,396 individuals employed by HDGH as of Nov. 4, 2022, and some former employees," the hospitals said in a statement.
That employee data includes names, social insurance numbers and basic pay rates. The theft does not appear to include professional staff and volunteers, and no banking information was stolen.
The hospital had previously said some employee data was stolen, but no social insurance numbers were taken.
The hospital is providing two years of credit monitoring on site to current employees, and for former employees who have not signed up in person, the hospital will mail a letter.
According to the statement, the three other hospitals hit by the Oct 23 cyberattack — Erie Shores HealthCare, Chatham-Kent Health Alliance and Windsor Regional Hospital — had no further updates to share. In an earlier update about stolen data, hospitals said social insurance numbers were stolen from more than 1,400 patients at Chatham-Kent Health Alliance.
The hospitals say some information obtained in the hack has been released online after they refused to pay a ransom.
Sharon Polsky is the president of the Privacy and Access Council of Canada, the governing body for professionals who work in privacy and data protection.
She questions why patient information was kept in an accessible database for 30 years.
The implications are wide: Polsky said she would also be concerned for people born recently, whose data may be compromised but not discovered until much, much later — like when they go to apply for their first credit card.
"I'll have questions. Why are patients social insurance numbers collected? Maybe there's a valid reason. I cannot think of one … I certainly would have challenged it if I went to hospital and they asked me for my social insurance number."
Polsky says she would like to see organizations mandated to report information breaches like cyberattacks in a publicly-accessible database.
"Our view is that would give the people, who are to provide their informed consent before the organization collects their information, the ability to make an informed decision," she said.
"If I can find out that Hospital A has never reported a breach, Hospital B next door has reported one, two, 10 breaches in a month or a year, a decade, then I can make a more a better informed decision where to take my business, whether it's a hospital or the store."
The hospitals said they have reported the findings to Ontario's Information and Privacy Commissioner, and say "those affected have the right to file a complaint with Ontario Information and Privacy Commissioner."
A patient cybersecurity hotline has also been established for patient questions. It can be reached from 8 a.m. to 11 p.m. Monday to Friday at 519-437-6212."