Five Ontario hospitals affected by a ransomware attack last fall say they’re mailing more than 326,000 letters to notify patients whose personal information was stolen.
The cyberattack targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital on Oct. 23.
The hospitals say in a joint statement that except for Bluewater Health, electronic medical records were not affected in the attack.
However, they say personal health information stored elsewhere on the hospitals’ systems was stolen and some of that data was published on the dark web.
The hospitals estimate that a total of 326,800 patients had their information stolen, but note that some of those people may have been counted more than once if they were seen at multiple hospitals.
Patients who attended more than one of the affected hospitals can expect to receive multiple notification letters.
“This incident was complex, and the data analysis took several months to complete,” the hospitals said Wednesday in their statement.
“This incident affected each hospital differently, and we took great pains to assess every impacted file to ensure that we notified all affected patients.”
Patients whose social insurance numbers were compromised will also be receiving information about credit monitoring, the statement said.
The hospitals said they discussed their patient notification approach with Ontario’s Information and Privacy Commissioner.
“To our patients, community, and health-care professionals, we truly apologize for the inconvenience this cyber attack has caused you,” they said.
In addition to the five hospitals, the ransomware attack also affected TransForm, a non-profit group tasked with overseeing the hospitals’ IT systems.
The group previously said the attack affected hospital operations as well as certain patient, employee and professional staff data, but it did not yield to ransom demands on the advice of experts.