Radiation care moved out of Windsor, international law enforcement working on cyberattack
OPP, Interpol and FBI are now assisting the hospitals' IT provider
Radiation treatments for cancer patients are being transferred to other hospitals. International law enforcement are investigating. Eight days after the cyberattack at five southwestern Ontario hospitals was first declared, the scope of the problem and the agencies working on the solution have become more clear.
Local health-care officials have now said the cyberattack is a case of ransomware. Patient and employee data was taken — and could be exposed.
"Sensitive medical data is extremely problematic in the hands of the wrong people. Where I would start is, what is the strength of the security measures these hospitals had employed to begin with?," said Ann Cavoukian, the former privacy commissioner of Ontario.
"I'm guessing, and I'm saying I'm guessing, I haven't examined it [but] I'm guessing they weren't very strong."
Cavoukian is also the executive director of data security company Global Privacy and Security By Design.
TransForm, the shared services organization founded by five local hospitals to manage IT and accounts, has been under a cyberattack that has affected their member hospitals for eight days.
In a statement Tuesday, TransForm said patient and staff data has been taken and information could be exposed as a result of the attack. People impacted by the cyberattack will be notified, the company said, and the FBI, as well as Interpol, are investigating.
"We continue to work around the clock to restore systems, and we expect to have updates related to the restoration of our systems in the upcoming week."
The attack has taken hospital email and internet offline.
"We have notified all relevant regulatory organizations including the Ontario Information and Privacy Commissioner," the organization said.
Before Tuesday's update it had been four days since the last official update on the cyberattacks that forced computer systems offline at several southwestern Ontario hospitals.
Cyberattack impacting radiation at Windsor Regional cancer care centre
The affected hospitals — Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and Chatham-Kent Health Alliance — have had to reschedule and postpone surgeries and appointments int he wake of the attack.
People are asked to visit local clinics or their primary care provider where possible and only attend the hospital for true emergencies.
The Ontario Ministry of Health has not returned multiple requests for comment from CBC News, saying in its lone statement last week that it was aware of the breach and was confident in TransForm's handling of the response.
On Tuesday, Windsor Regional Hospital (WRH) said in a statement its cancer care centre was also impacted by the cyberattack.
The hospital said there's currently no radiation treatment but it's working to implement radiation service without the equipment being compromised.
The hospital is also working with other cancer care organizations to transfer patients' current care well as new referrals for radiation.
According to the hospital, patients requiring chemotherapy and related services are being treated within WRH — with plans to also do so at other centres
Joannie Cowie is an outpatient at Windsor Regional Hospital. Frequently in the hospital for treatment because she is anemic, she also has growths that currently need to be biopsied and tested for cancer — something she says has been postponed.
She was at the hospital last week when the cyberattack first happened and said it's "very scary."
"When my IV bag came it came with handwritten instructions on the bag," Cowie said. "I can't believe it's still not fixed."
Cowie said staff were taking written orders and prescriptions through the hospital often at a run. While she commended staff for working as hard as they are, she says she believes the government needs to step up.
"They need to step up their game, the hospital and the Ford government because there are privacy laws and you don't just play games with people."
Andrew Dowie, Conservative MPP for Windsor—Tecumseh, said TransForm continues to work on this, with the help of outside experts.
"Restoring the systems back to where they need to be to offer the appointments and procedures, that is the priority for Transform, for the hospitals, and ultimately any way that the province can support them, certainly I want to share that those efforts are being made," said Dowie.
Cyberattack likely largest breach in Ontario history, silence 'deafening'
Daniel Tsai is a lecturer in technology at the University of Toronto. He says he believes TransForm took too long to declare the cyberattack.
As for where any patient data is: Tsai says if its published, it won't be on a website just anyone can access.
"People may not see it in a public sphere," he said. "That information can cause quite a bit of grief, anyone can buy that information off the dark web and try to extort people."
Tsai pointed to the highly publicized hack of Ashley Madison, the dating site geared toward infidelity, and the people who were blackmailed by criminals after that attack.
People should make sure they monitor their identity and banking information for possible signs of fraud, he added, but that won't help catch any medical data that could have been exposed.
This is likely the largest breach of information in Ontario history, he said. Other hospitals, including SickKids in Toronto, have also had cyberattacks.
"I'm surprised the minister of health hasn't addressed this issue," he said. "I think this is a huge problem and we need a plan of action here. So the silence is deafening.
"Not only did the hospital administrators in Windsor drop the ball by waiting more than a week to actually come out and say what the issue is but the leadership from the top down has also failed these patients, and that's shameful."
Medical information made public can have wide impacts
Cavoukian, the former privacy commissioner, says having medical data out there can have serious ripple effects.
"Conclusions can falsely be drawn on very sensitive data like medical data and in the wrong hands … it can get you into a lot of trouble," she said.
"Don't underestimate 'who would want my health data' … so identity, especially linked with sensitive health data, has to be extremely strongly protected."
Cavoukian says she also has an idea why the hospitals have been so quiet.
"I'm assuming they're very nervous about it because — I'm again assuming — sufficient measures weren't in place at the time of this breach," she said.
But current laws in place to safeguard patient and data privacy need to be updated.
"The use of encryption and the methodology of the encryption: This should be encoded in this legislation. It isn't," Cavoukian said. "Yes, you need to protect health data, but that's not enough. The how and where and what, the means required and the need to look under the hood after it's been done and audit what's been done, all of this is critical."
With files from Jennifer La Grassa and Bob Becken