Scarborough Health Network (SHN) has issued a public notice warning of a “cybersecurity incident” that may have resulted in patient data being accessed.
In a statement issued Wednesday, SHN said the issue was identified on Jan. 25 and the health network “immediately retained” a cybersecurity team to conduct an investigation and contain the incident.
SHN said the “unauthorized actor” was shut out of the system by Feb. 1, meaning data from that date onward is not at risk.
SHN said patent data including ID numbers, names, genders, birth dates, email addresses, home addresses, OHIP numbers, lab reports, procedure descriptions, insurance policy numbers, immunization statuses, diagnosis information, as well as staff names, physician names and numbers may have been accessed.
“This could affect both past and present patient data from all SHN hospitals,” the statement said.
SHN said that if an individual visited one of their COVID vaccine clinics, their data was uploaded to the Ministry of Health and was not affected.
Only those who were admitted to an SHN hospital, received in-patient care and had the vaccination information included in their patient chart may have had it exposed, the statement said.
“While the investigation is now complete, SHN and its experts are continuing to closely monitor the situation and have not detected any malicious use of the data that was accessed,” the statement said.
“SHN has reported the breach to the Office of the Information and Privacy Commissioner of Ontario to respond to this incident in accordance with best practices and with the Personal Health Information and Protection of Privacy Act.”
The statement said that “out of an abundance of caution,” current and former SHN patients should be “diligent” in monitoring accounts and for incidents of fraud and identity theft.
All SHN patients are being offered two years of free credit monitoring service from Trans Union of Canada. They can call 1-888-874-2140 to activate it.
SHN president and CEO Elizabeth Buller said they “sincerely regret” that the breach occurred.
Buller said they acted as quick as possible to ensure clinical operations weren’t affected.
When asked why SHN only released a public notice now when the incident happened in January, the health network said “a comprehensive investigation took time and we wanted to ensure we understood all the facts and appropriate remedies in order to provide accurate information to our patients, SHN team members, and stakeholders.”
SHN said their investigation concluded not all patient data was compromised but due to the incident’s “complexity,” it’s not clear how many individuals have been affected.