Hundreds of thousands of individuals impacted by a cyber attack at five hospitals across Southwestern Ontario will soon receive a letter in the mail if their personal information was stolen by cyber criminals.
A review is complete into affected data from the cyber attack at Windsor Regional Hospital, Hotel-Dieu Grace Healthcare in Windsor, Erie Shores HealthCare in Leamington, Bluewater Health in Sarnia, and the Chatham-Kent Health Alliance, along with their shared services provider, TransForm Shared Service Organization.
Individuals will start to receive letters in the mail during the week of April 8 from hospital providers if their information was stolen during the cyber attack that took place on Oct. 23, 2023.
According to a release from the five hospitals, except for Bluewater Health, Electronic Medical Records were not impacted, however personal health information stored elsewhere on the systems was involved, including patient and for some organizations employee information.
The leaders of the five healthcare centres stressed during a news conference Wednesday that each hospital was impacted differently as a result of the attack.
The following is the approximate number of patients per hospital that will receive notification by letter. If a patient was seen at multiple hospitals, they will receive multiple letters, so there is likely overlap in these totals.
- Bluewater Health: 82,000
- Chatham-Kent Health Alliance: 69,000
- Erie Shores HealthCare: 102,000
- Hôtel-Dieu Grace Healthcare: 46,000
- Windsor Regional Hospital: 27,800
President and CEO of Hotel-Dieu Grace Healthcare, Bill Marra, says some examples of the stolen data at the hospital include names, dates of birth, perhaps locations of care and some of our program details, diagnoses, treatment information , and health card number.
"What I want to underscore, and what is very important, is that the actual patient records were not accessed," he says.
President and CEO of Windsor Regional Hospital, David Musyj, says of the 27,800 individuals impacted at his hospital, they were largely from admission sheets, census sheets, and assignment sheets that staff saved to a shared drive.
"For example, clinical staff when they do rounding, meaning visiting with patients, they work off these documents. These contained the patients name, floor they were on, room they were in, and possibly their general diagnosis," he says. "They were not a patients health records, and they did not include social insurance numbers or bank accounts."
Musyj, says this was a criminal cyber attack.
"For our patients, I can say we have always understood the extreme importance of protecting the privacy of our patients. Lessons will be learned, applied, and shared with others. Although information breach from Windsor Regional Hospital files were indeed limited, we will be informing anyone whose information may have been breached, regardless of the extent of that breach," he says.
President and CEO of Erie Shores HealthCare, Kristin Kennedy, says no patient social insurance numbers, financial information, or medical records were part of the breach at the hospital in Leamington.
"This information impact in our organization is mainly cantered on a registration report, and administrative reports stolen from a restricted shared drive," she says. "The reports included patient name only, or a combination of information, including address, date of birth, health card number, and a generic reason for a patient visit."
A band of cyber-criminals called ‘Daixin Team’ claimed to be the group responsible for the cyber attack but a ransom was not paid.