TORONTO — The organization that regulates the nursing profession in Ontario was hit by a ransomware cyber-attack in which personal information might have been compromised, a spokeswoman said on Friday.
The College of Nurses of Ontario, which oversees about 188,000 members, offered few details about what it had previously referred to only as a “cybersecurity incident” it discovered Sept. 8.
“(The college) was affected by ransomware,” spokeswoman Angela Smith said. “To date, we have not received a ransom demand amount, nor have we been in contact with the hackers.”
Ransomware attacks typically involve a hack in which an intruder, often located abroad, gains access to an organization’s computer system and encrypts the stored information. The result is that the data cannot be accessed without a key the hackers promise to provide in exchange for money.
Companies big and small, municipalities and other government agencies around the world have been targets, often paying large sums to regain access to their own systems.
Just last month, the Regional District of Okanagan-Similkameen in southern B.C. was hit by a similar attack, causing elected officials and staff to lose access to their emails and complicating efforts to deal with a wildfire that forced hundreds from their homes.
The nurses’ college said it was implementing a range of options to resume operations safely and securely. Those options include restoring the inaccessible data from backups.
It remained unclear to what extent private and other sensitive information was compromised, but the college said it had embarked on a comprehensive forensic investigation with the help of an unnamed leading cybersecurity firm. Such information could include confidential corporate information, along with personnel, financial and disciplinary records.
“CNO is also seeking to determine whether personal information was compromised as a result of the incident that may require notification to individuals,” Smith said.
The college has not explained why it didn’t inform its members about the incident for more than a week after discovering the attack. It did say it has a third-party contact-management system unaffected by the hack to communicate with its members.
Doris Grinspun, who heads an association that advocates for nurses, expressed grave concern both about the hack, and the college’s reluctance to provide information about it promptly.
“That happened on the 8th (of September) and members and ourselves didn’t know,” said Grinspun, CEO of the Registered Nurses Association of Ontario. “My concern is, what else are they not disclosing?”
In the midst of its scramble to resolve the situation, the college this week approved a regulation change to expand the scope of practice for registered practical nurses. The decision taken amid the ongoing security incident has alarmed many nurses, with about 5,000 signing a letter to Premier Doug Ford and Health Minister Christine Elliott expressing their dismay.
The college did say it was in the process of resuming normal operations, but a number of its regular services remained shut down on Friday including access to membership renewal.