Hackers breached Canadian hospital network's servers, stole sensitive patient data

A Toronto-based Canadian health network has confirmed that it suffered a data breach that compromised the personally identifiable information of its patients and staff.

The Scarborough Health Network (SHN) said that an unauthorised third party gained access to its servers, compromising the personal information of several patients and employees at its pre-amalgamation SHN institutions. 

 

SHN is a major Toronto-based health network that operates the Scarborough General, Centenary, and Birchmount hospitals and is affiliated with the University of Toronto Faculty of Medicine.

Following an investigation into the cyber incident, SHN said that its IT team identified unusual activity on its systems on January 25, 2022. The team immediately took steps to contain the incident and involved leading third-party cybersecurity experts to investigate the matter. Upon investigation, it was identified that past and present data records of patients stored in several of the hospital’s servers were breached.

Elizabeth Buller, the President and Chief Executive Officer at SHN, said, “SHN takes the privacy and security of patient, staff, and business contact and personal information very seriously, and we sincerely regret that this incident occurred.

 

twitter.com/SHNcares/status/1529481185822494720

“I want to assure patients that we acted as swiftly as possible to contain and investigate the incident to ensure that our clinical operations were not impacted. Furthermore, all IT security improvements that were identified as a result of our investigation were immediately addressed,” she added.

Information that was compromised as a result of the unauthorised intrusion included patient ID numbers, names, genders, dates of birth, email addresses, residential addresses, OHIP number and version, insurance policy number, provider names, Provider (HCP Health care provider) and CPSO (College of Physician and Surgeons of Ontario) numbers.

The breached data also included Procedure description/orders performed, orders, results, Attending and/or ordering physician names, numbers, medical/clinical/diagnosis information/findings/reports, lab reports, COVID-19 treatment, and immunization records for those admitted to SHN, Staff names, and numbers.

The hospital network confirmed that data of people who visited a vaccine clinic that was affiliated with SHN was safe as it was uploaded to Ministry of Health servers only. “The only data related to COVID-19 vaccinations that may have been exposed is for individuals who were actually admitted to an SHN hospital and received in-patient care, where that information was included as part of their patient chart,” read SHN’s statement.

SHN has confirmed that the threat actor was shut out of the system by February 1, 2022. Hence, the data of individuals post that date is secure. The network has also stated that the initial investigation has confirmed that the compromised data has not been misused yet. 

 

However, the hospital network is still monitoring the situation and urges impacted individuals to monitor their accounts and remain vigilant for incidents of fraud and identity theft. The data incident has been reported to the Office of the Information and Privacy Commissioner of Ontario.