Nearly 850 patient records at Ross Memorial Hospital in Lindsay, Ont., were accessed during what the hospital calls a cybersecurity incident in early February 2023.
On Thursday, hospital president and chief executive officer Kelly Isfan provided an update on the Feb. 5, 2023, cybersecurity incident. She said an investigation by its information technology team and external third-party cybersecurity experts determined that the personal health information of 847 patients was “affected and accessed without authorization.”
Isfan said patients were notified of the incident.
She said the cybersecurity was so extensive that some hospital’s systems — including its legacy MediPatient database — were so severely impacted that some if its applications and data were “rendered unusable.”
The incident prompted a IT Code Grey which included severing access to the internet. Isfan said that within 24 hours, the cybersecurity incident was considered contained.
She said hospital databases storing legacy health information from the 1960s to Feb. 5, 2023 were either encrypted and/or corrupted due to the cybersecurity incident. The databases affected included admission, discharge information, diagnostic imaging orders, and reports and consultation notes.
Corrupted records could include OHIP numbers, demographic information, lab results, diagnostic imaging, surgery results, medication usage, and more.
“Corrupted records include data in a file that may have been accessed without authorization, but it is impossible for RMH to confirm given the nature of the incident and the state in which the data was left, for example, if has become unusable, unreadable or inaccessible,” she said.
- Windows shattered, property damaged as May Day protests turn violent in Montreal
- Canada’s most wanted fugitive arrested in P.E.I. over Toronto homicide
- 4th youth charged with murder in killing of 16-year-old outside Halifax mall
- What we know — and don’t — in Ontario’s deadly Highway 401 police pursuit crash
“However, if data has been corrupted, RMH does not have any evidence to suggest this information was removed from our systems during the incident.”
Isfan says in most cases, the hospital was successful in restoring records of visits and supporting documentation over the last six decades.
But she notes a subset of these corrupted records may have been impacted “to the point where unfortunately, we are no longer able to access them.”
“Nevertheless, while this patient data may have been subject to unauthorized access, encryption, and/or corruption, there is no indication of any malicious use of PHI as a result of the incident,” she said.
She said the Information and Privacy Commissioner of Ontario was notified of the incident. Any patient who wishes to file a complain can visit ipc.on.ca online.
Patients are advised to be diligent in monitoring any accounts for any possible incidents of fraud or identity theft, the hospital said.
The hospital advises connecting with ServiceOntario for any concerns about your health card number by calling 1-800-267-8097 or at ontario.ca online.
Individuals with other inquires about the cybersecurity incident can call the hospital at 705-324-6111 ext. 6284.
Comments