Data on 267,000 Sarnia patients going back 3 decades among cyberattack thefts at 5 Ontario hospitals

Patients' informationincluding the reasons for their visits goingback three decadesfrom Bluewater Health in Sarnia, Ont.,and itspredecessor hospitals is among thedata confirmed stolen in the cyberattack on five southwestern Ontario hospitals.

Transform, the hospital's IT provider, now confirms a database report containing information on 267,000 patientswas taken. The report includes detailsabout "every patient" seen at Bluewater Health and its predecessorssince Feb.24, 1992.

Those predecessor institutions are:

• Lambton Hospitals Group.
• Charlotte Eleanor Englehart Hospital of Bluewater Health.
• Sarnia General Hospital.
• St. Joseph's Hospital.

"We condemn the actions of cyber criminals, in the health-care sector and elsewhere, in our communities and around the world," Transform said in a statement Thursday that wasdistributed by the hospitals.

"We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize."

The database report taken from Bluewater Healthincludes names and addresses, as well as the reason for the visit and "general notes on prior registrations" among other personal information.

WATCH | What group claiming it's behind cyberattack says about how it got into Ontario hospital systems:

According to a blog, cybercriminal group Daixin says it has attacked the hospitals in southwestern Ontario and forced them to go dark. CBC's Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.

Cybercriminal group claims responsibility for ransomware attack on hospitals

12 months ago

Duration 3:19

According to a blog, cybercriminal group Daixin says it has attacked the hospitals in southwestern Ontario and forced them to go dark. CBC's Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.

Social insurance numbers for about20,000 patients at Bluewater Health and the other hospitalswere also stolen, the hospitals say.

People whose social insurance numbers were included in the database report will be contacted directly and the hospital will provide two free years of credit monitoring services.

The hospitals now also say they have revised information about the data stolen from Htel-Dieu Grace Healthcarein Windsor.

"Unfortunately, HDGH can confirm the theft of an employee database report containing information of about 1,396 individuals employed by HDGH as of Nov.4, 2022, and some former employees," the hospitals said in a statement.

That employeedata includes names, social insurance numbersand basic pay rates. The theft does not appear to include professional staff and volunteers, and no banking information was stolen.

The hospital had previously said some employee data was stolen, but no social insurance numbers were taken.

The hospital is providing two years of credit monitoring on site to current employees, and for former employees who have not signed up in person, the hospital will mail a letter.

According to the statement, the three other hospitals hit by the Oct 23 cyberattack Erie Shores HealthCare, Chatham-Kent Health Alliance and Windsor Regional Hospital hadno further updates to share. In an earlier update about stolen data, hospitals said social insurance numbers were stolen from more than 1,400 patients at Chatham-Kent Health Alliance.

The hospitals say some information obtained in the hack has been released online after theyrefused to pay a ransom.

Sharon Polsky is the president of the Privacy and Access Council of Canada, the governing body for professionals who work in privacy and data protection.

She questions why patient informationwaskept in an accessible database for 30 years.

The implications are wide: Polsky said she would also be concerned for people born recently, whose data may be compromised but not discovered until much, much later like when they go to apply for their first credit card.

"I'll have questions. Why are patients social insurance numbers collected? Maybe there's a valid reason. I cannot think of one I certainly would have challenged it if I went to hospital and they asked me for my social insurance number."

Polsky says she would like to see organizations mandated to report information breaches like cyberattacks in a publicly-accessible database.

"Our view is that would give the people, who are to provide their informed consent before the organization collects their information, the ability to make an informed decision," she said.

"If I can find out that Hospital A has never reported a breach, Hospital B next door has reported one, two, 10 breaches in a month or a year, a decade, then I can make a more a better informed decision where to take my business, whether it's a hospital orthe store."

The hospitals saidthey have reported the findings to Ontario's Information and Privacy Commissioner, and say "those affected have the right to file a complaint with Ontario Information and Privacy Commissioner."

A patient cybersecurity hotline has also been established for patient questions. Itcan be reached from 8 a.m. to 11 p.m. Monday to Friday at 519-437-6212."