Ontario hospitals hit by ransomware exposed data of over 516,000 people. Report urges stronger cybersecurity measures across healthcare sector.
Hospitals Affected by Massive Cyberattack Identified
A sweeping investigation by Ontario’s Information and Privacy Commissioner (IPC) has revealed the scale and scope of a ransomware attack that compromised personal health information of more than 516,000 individuals across six healthcare institutions in southwestern Ontario. The cyberattack, which took place in October 2023, impacted Windsor Regional Hospital, Bluewater Health, Hôtel-Dieu Grace Healthcare, Erie Shores Healthcare, Chatham-Kent Health Alliance, and the Tilbury District Family Health Team clinic.
Ransomware Disrupted Services, Stole Sensitive Data
The incident severely disrupted medical services for several months. The IPC’s detailed report confirms that the breach resulted in the theft of highly sensitive information—including health card numbers, diagnoses, treatment details, and in some cases, social insurance numbers (SINs). Investigators confirmed that the stolen data was later posted on the dark web by a cybercriminal group, widely believed to be Daixin, though unnamed in the official report.
Cybercriminals Exploited Security Gaps
According to IPC investigator Francisco Woo, the attackers gained access using three legitimate but compromised administrator accounts. A lack of multi-factor authentication (MFA) on these accounts allowed the hackers to move undetected within the network. Woo confirmed that MFA has now been implemented across all impacted systems—a step cybersecurity experts say could have significantly minimized the breach.
Hospitals Responded Appropriately Post-Attack
Despite initial lapses, the IPC praised the hospitals and their shared IT provider, TransForm Shared Service Organization, for taking swift remedial action. In a joint statement, the healthcare institutions welcomed the IPC’s acknowledgement of their response and ongoing improvements. Measures include enhanced monitoring tools and better breach response protocols.
Unauthorized Data Collection Worsened the Breach
A key finding from the IPC report was that Bluewater Health in Sarnia had collected and stored about 20,000 SINs without proper authorization. These records, many dating back to 1999–2006, were unrelated to workplace insurance claims and should not have been on file. The presence of SINs increased the severity of the breach, exposing patients to heightened risks of identity theft. The hospital has since ceased collecting SINs and destroyed existing files.
Debate Over Notification to Affected Individuals
The investigation also highlighted a contentious issue: not all individuals whose data was breached were notified. Hospital lawyers argued that encrypted data wasn’t technically accessed, while Woo insisted that access alone constituted a breach. The report confirms that additional notifications have now been issued, resolving the matter.
Recommendations for Stronger Cyber Defences
While the IPC will not conduct a further review, four key recommendations were issued to strengthen TransForm’s digital infrastructure. These include improved early threat detection systems, better alert protocols, and incident response measures. Cybersecurity expert David Shipley emphasized that IT systems are essential to modern healthcare and called on both provincial and federal governments to invest in cybersecurity and actively pursue cybercriminals.
National Action Needed to Prevent Future Attacks
Shipley stressed that while Ontario is moving in the right direction with legislative steps, a unified federal response is urgently needed. “IT is not just a back-office function—it’s the backbone of our healthcare system,” he said. “This attack should be a wake-up call for policymakers to fund, legislate, and enforce stronger protections across all sectors handling sensitive Canadian data.”
For continuous coverage and real-time updates, keep following Maple News Wire.
