Patients’ information — including the reasons for their visits — going back three decades from Bluewater Health in Sarnia, Ont., and its predecessor hospitals is among the data confirmed stolen in the cyberattack on five southwestern Ontario hospitals.
Transform, the hospital’s IT provider, now confirms a database report containing information on 267,000 patients was taken. The report includes details about “every patient” seen at Bluewater Health and its predecessors since Feb. 24, 1992.
Those predecessor institutions are:
- Lambton Hospitals Group.
- Charlotte Eleanor Englehart Hospital of Bluewater Health.
- Sarnia General Hospital.
- St. Joseph’s Hospital.
“We condemn the actions of cyber criminals, in the health-care sector and elsewhere, in our communities and around the world,” Transform said in a statement Thursday that was distributed by the hospitals.
“We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize.”
The database report taken from Bluewater Health includes names and addresses, as well as the reason for the visit and “general notes on prior registrations” among other personal information.
WATCH | What group claiming it’s behind cyberattack says about how it got into Ontario hospital systems:
According to a blog, cybercriminal group Daixin says it has attacked the hospitals in southwestern Ontario and forced them to go dark. CBC’s Jennifer La Grassa breaks down more details the group shared about how it got into hospital systems.
Social insurance numbers for about 20,000 patients at Bluewater Health and the other hospitals were also stolen, the hospitals say.
People whose social insurance numbers were included in the database report will be contacted directly and the hospital will provide two free years of credit monitoring services.
The hospitals now also say they have revised information about the data stolen from Hôtel-Dieu Grace Healthcare in Windsor.
“Unfortunately, HDGH can confirm the theft of an employee database report containing information of about 1,396 individuals employed by HDGH as of Nov. 4, 2022, and some former employees,” the hospitals said in a statement.
That employee data includes names, social insurance numbers and basic pay rates. The theft does not appear to include professional staff and volunteers, and no banking information was stolen.
The hospital had previously said some employee data was stolen, but no social insurance numbers were taken.
The hospital is providing two years of credit monitoring on site to current employees, and for former employees who have not signed up in person, the hospital will mail a letter.
According to the statement, the three other hospitals hit by the Oct 23 cyberattack — Erie Shores HealthCare, Chatham-Kent Health Alliance and Windsor Regional Hospital — had no further updates to share. In an earlier update about stolen data, hospitals said social insurance numbers were stolen from more than 1,400 patients at Chatham-Kent Health Alliance.
The hospitals say some information obtained in the hack has been released online after they refused to pay a ransom.
The hospitals said they have reported the findings to Ontario’s Information and Privacy Commissioner, and say “those affected have the right to file a complaint with Ontario Information and Privacy Commissioner.”
A patient cybersecurity hotline has also been established for patient questions. It can be reached from 8 a.m. to 11 p.m. Monday to Friday at 519-437-6212.”