The five southwestern Ontario hospitals that fell victim to a cyberattack confirmed Thursday that stolen patient data has been published, potentially leaving thousands of people vulnerable to identity theft, fraud, and other consequences.
Blackmailers launched the ongoing cyberattack against hospitals in Windsor, Leamington, Sarnia, and Chatham-Kent on Oct. 23. They executed a network-wide takedown of technology systems and obtained sensitive personal information about hospital staff and patients, some of which is now online.
Learning that the stolen data has been published left some patients feeling angry and helpless Thursday as they wait to hear if they are among those who have been victimized.
“It’s not good that the cybersecurity is so lacking that this happened in the first place,” said David Hughes, a Windsor Regional Hospital patient whose hip replacement was canceled amid the fallout of the ransomware attacks. “Why the hospital administration isn’t more proactive in guarding their computer systems with all of the security threats that are out there is also a concern.”
The cyberattack, which followed a blackmail attempt, hit Sarnia’s Bluewater Health, Chatham-Kent Health Alliance, the Windsor-Essex hospice, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital.
“We have become aware that data connected to the cyber incident has been published,” the hospitals said Thursday in a joint statement. “We are reviewing the data to determine its contents.”
The organizations also stated their resolve on Thursday not to bend to the will of the blackmailers.
“Our leaders, on advice by our experts that we could not verify claims by the attacker, decided we would not yield to their ransom demands. We are aligned in this position with the governments of 50 nations, including Canada, who have recently pledged to never pay ransom to cybercriminals.”
The hospitals have not said what the blackmail demands were or if they know where the criminals are based. The hospitals also didn’t reveal Thursday what kind of information was published, where it was posted, or how many people might be affected.
“Working with leading cybersecurity experts, we continue to investigate to determine the exact data impacted,” they said. “Any individuals whose data was affected by this cyberattack will be promptly notified, in accordance with the law.”
Hughes said he feels there is nothing he can do except wait to be contacted by the hospital if his data is published. He is not planning to invest in fraud protection, but said that could change as more information emerges.
“If something came about where I was compromised financially, I’d want to take some sort of legal action against that company (Transform Shared Services Organization) and have them pay to restore my information and pay for the damages,” he said.
“Our government should be more on top of this. Hospitals are operating on straining budgets as it is, and you know, cybersecurity should be important to them, but how much is it going to cost?”
The blackmailers got to the hospitals by targeting TransForm Shared Service Organization, which runs technology systems for all five facilities.
The ransomware attack shut down the hospitals’ access to Wi-Fi, email, and patient information systems. Surgeries and procedures were postponed. Cancer patients are being sent out of town for treatment. The hospitals have been unable to reach some patients. Staff have had to revert to paper charting.
Nearly two weeks after the ransomware attacks, some hospital systems are still not operating.
“We continue to work around the clock to restore systems, and we expect to have updates related to the restoration of our systems in the coming days,” the facilities said Thursday.
“The hospitals will continue to do their best to contact patients directly in advance if they have a scheduled appointment with one of our hospitals that needs to be rescheduled. If patients do not need emergency care, we ask that they please attend their primary care provider or local clinic.”
The hospitals confirmed earlier this week that staff and patient information had been stolen, and there was a fear that the data would be published online.
The organizations said they are working with several levels of Canadian and international law enforcement agencies, including local police departments, Ontario Provincial Police, INTERPOL, and the FBI. Health officials said they have also notified “all relevant regulatory organizations” including the Ontario Information and Privacy Commissioner.
“We understand the impact this incident is having on members of our community, including patients and our employees and professional staff, and deeply apologize for the inconvenience this has caused,” the hospitals said in the statement. “We want to thank everyone for their patience during this time.”