Ontario health agency informed of cyberattack more than 2 months before telling patients
The provincial agency overseeing Ontario’s home care system was informed about a massive data breach in April, Global News has learned, more than two months before the public, along with hundreds of thousands of impacted patients, were notified.
Ontario Health atHome, a Crown agency recently created by the Ford government to coordinate resources for home care and palliative patients, has been under scrutiny after a cyberattack that impacted one of its vendors was kept under wraps for months.
The attack, believed to have affected as many as 200,000 patients, took place sometime in March but was only revealed to the public in late June.
Now, officials with the agency have confirmed that they were made aware of a cybersecurity incident as early as April 14, but waited until the end of May to inform Ontario’s Information and Privacy Commissioner — as required by law — and until June 27 to tell patients.
“On April 14, Ontario Medical Supply (OMS) notified Ontario Health atHome that it was experiencing system outages and a potential cyberattack impacting their information system and operations,” a spokesperson for Ontario Health atHome told Global News.
The latest revelation has led to accusations of “deception” by the health agency, which indirectly reports to Health Minister Sylvia Jones.
While the extent of the cyberattack in March remains unclear, Ontario Medical Supply claims to have been unaware of the incident because the company’s system didn’t go down until mid-April.
Officials with Ontario Health atHome said on or around April 14, OMS found out its system had suffered some kind of cyber breach, triggering an investigation into the situation.
Ontario Health atHome said more than a month later, on May 21, OMS finally confirmed that the breach involved patient information including “name, contact information and medical supplies or equipment ordered.”
The agency notified the Information and Privacy Commissioner of Ontario on May 30 — nine days after it was confirmed, weeks after first being told and more than two months after the initial breach took place.
Patients and the public, however, were only informed on June 27, when Liberal MPP Adil Shamji revealed the cyberattack had happened, forcing the Ministry of Health to admit the breach had taken place.
Shamji accused Ontario Health atHome of “incompetence” and “deception” over the lengthy delay.
“That is incompetence; it also speaks to deception,” he told Global News.
“The fact that Ontario Health atHome knew on April 14 that patient health information had been compromised. And yet they waited six weeks before filing a report with the Information and Privacy Commissioner is not the way it’s supposed to be done… it speaks to negligence.”
After Shamji revealed the cyber incident at the end of June, Health Minister Sylvia Jones said she had “ordered” Ontario Health atHome to inform patients their data could have been impacted.
It was then the agency informed patients there had been a breach, creating a phone number and email address for anyone concerned to reach out to.
Shamji said the delay could have been dangerous for patients.
“There is immense risk,” he said.
“The kind of information that we have been led to believe has been disclosed is things like patient’s diagnoses, their addresses, names, email address information, prescription data.
“All of these things can be used to blackmail people, engage in phishing, identity fraud or identity theft.”
globalnews
