Privacy investigator in Ontario hospital cyberattack outlines missteps, chances to improve

An investigation into a cyberattack that disrupted care at five southwestern Ontario hospitals for months reveals that while there were some missteps, the facilities and their IT provider properly responded to the situation. 

The lengthy investigation published online Wednesday by Ontario's Information and Privacy Commissioner (IPC), sheds more light on the October 2023 ransomware attack. 

The data breach compromised health information from hundreds of thousands of people and temporarily upended care for patients at Windsor Regional Hospital, Bluewater Health, Hôtel-Dieu Grace Healthcare, Erie Shores Healthcare and the Chatham-Kent Health Alliance, along with a clinic: Tilbury District Family Health Team. 

All of these healthcare facilities share an IT provider, TransForm Shared Service Organization — the target of the attack. 

"In light of the measures taken to contain, investigate and remediate the incident, the investigator finds that the [hospitals, clinic and IT provider] have responded adequately to the breach," reads part of the investigation. 

According to the report, between the six facilities, more than 516,000 people had personal health information stolen, including:

• Name, addresses, date of birth.
• Social insurance numbers. 
• Diagnoses, treatment information. 
• Health card numbers.
• Health insurance information. 

All of this data from the impacted patients was published on the dark web — a space where criminals often exploit personal information. 

Two weeks after the attack took place, cybercriminal group Daixin took responsibility, though the investigation by the IPC doesn't name the group. 

The healthcare institutions did not pay a ransom to retrieve the data, which experts who spoke with CBC News at the time, said was the right thing to do. 

In a joint statement from the five hospitals Wednesday, they said they are "pleased that the IPC has acknowledged the efforts by the hospitals and TransForm Shared Service Organization to contain the breach after it occurred, as well as improvements made in our data and information protections since the time of the ransomware cyberattack." 

Cybercriminals snuck in through administrative accounts

The investigation finds that cybercriminals were able to gain access to about 150 GB of personal health information by using three "compromised administrator accounts." 

Because they entered using legitimate accounts, IPC investigator Francisco Woo states they were easily able to avoid being immediately detected. 

It's still unclear how the cybercriminals got access to the accounts, but Woo says that not having multi-factor authentication was "likely a contributing factor in how their credentials came to be compromised in the first place." 

Multi-factor authentication is a security measure that requires a person to repeatedly validate their identity before they can access an account. 

According to the report, multi-factor authentication has since been put in place. 

Cybersecurity expert David Shipley says multi-factor authentication would have made a difference. 

"It's not to say that an attacker can't get beyond even that, but that was the initial wound that would lead to the entire mess unfolding," said Shipley, head of Beauceron Security in Fredericton. 

Sarnia hospital shouldn't have had SIN numbers on file

Another point of concern for Woo were the 20,000 social insurance numbers (SIN) that had been stolen from Bluewater Health in Sarnia. 

According to the report, the hospital lawyers had said the SINs were collected because of Workplace Safety and Insurance Board (WSIB) records. But the lawyers also confirmed that the hospital wasn't "authorized" to collect SINs from patients who were getting care related to WSIB claims. 

And some of the stolen SINs also included ones gathered from patients between 1999 and 2006 who were not involved with WSIB.

Woo states that these SINs "created a point of vulnerability, which in this case, contributed to the severity of the privacy breach, exposing patients to added risk of threats such as identity theft and financial scams." 

He said the hospital shouldn't have been gathering SINs, but confirmed that as of May 2024 it stopped collecting them and has destroyed the ones it had on file. 

Some people not told information caught in attack

And finally, Woo pointed out that the hospitals didn't fully notify everyone whose information was impacted by the attack. 

This was a point of debate between the healthcare facilities and Woo. Lawyers for the healthcare facilities argue that because some of the stolen information was encrypted, it wasn't actually seen by the cybercriminals and, as a result, the organizations didn't notify those patients. 

But, Woo disagrees, determining that the information was still accessed and lost, so they should have notified those people. 

Shipley, the cybersecurity expert, says this is a complicated debate. 

"If someone looks at something, but they can't read it, was it really accessed?" asked Shipley. 

"Yes, in the strictest possible interpretation, they were able to see a file existed." 

But, he adds, the hospitals argued "without the keys to unscramble [the information], it effectively said nothing." 

It's possible that there could be future tools that help unscramble these stolen documents at some point in time, said Shipley. 

The investigation report states that these patients have since been informed by the hospital, and that there's no need for further notifications. 

Multiple recommendations put forward to boost security 

The investigation says that TransForm has already taken steps to better secure their systems, including increasing their detection of bad actors in the system. 

While Woo said he won't be moving forward with an additional review on this incident, he did provide four recommendations to boost TransForm's security practices. 

"They want a better house alarm for the digital environment in these hospitals," said Shipley of the recommendations. 

He said the suggestions include having TransForm beef up their early detection system so that they can know when an unauthorized person has been rifling through the data and making sure there's no false alarms. 

"And they want to make sure when the alarm goes off, someone is notified and people start taking action on it," he said. 

Shipley added that it's all about making sure they have robust measures in place so that if someone gains access to the information, the organization can know how it happened, how long the files were accessed for, what was stolen and whether any sensitive information was manipulated. 

Overall, Shipley says this isn't about blaming the IT organization, but rather asking federal and provincial governments to prioritize cybersecurity through additional funding and legislation. 

"We all expect all healthcare dollars to go first [to] doctors, nurses, healthcare technologists, you name it, hospitals," Shipley said. "We all think IT is just that other thing, but it's actually responsible for allowing healthcare to be a hundred, even a thousand times more efficient, without it they can't do anything and we saw that with the attack." 

Shipley said Ontario has put legislation forward that gets at improving the security of systems, but he said there needs to be more of a stance taken by the federal government to investigate and go after cybercriminals. 

CBC News has reached out to the RCMP and Interpol on where the investigation into this ransomware attack currently sits.