Patient care at five Southwestern Ontario hospitals is not yet back to normal two months after a massive cyberattack that has resulted in thousands of cancelled tests, busier-than-usual emergency departments and diversions to other centres, including in the United States.
The attack compromised the personal data of hundreds of thousands of patients and forced officials at the facilities – Windsor Regional Hospital, Sarnia’s Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare and Hôtel-Dieu Grace Healthcare – to shut down their information technology systems. With no access to electronic patient records, doctors and nurses reverted to methods most hospitals left behind in the 1990s: pen-and-paper patient care.
Sheila Thomas was minutes away from getting the results of a CT scan at Bluewater’s cancer clinic on Oct. 23 when messages warning of an emergency blared over the loudspeaker. Soon after came the order to immediately turn off all computers. “We’ve been hacked,” said the clinic’s receptionist.
Ms. Thomas, who was diagnosed with breast cancer earlier this year, had an appointment with her oncologist to learn the findings of the scan – her first test since her mastectomy in May. Even now, she doesn’t know what it found because the hospital’s computer systems are still down.
“You never know with cancer what’s going to happen,” said Ms. Thomas, a 63-year-old retired chef. “That’s the biggest thing – not knowing what’s going on with your own body.”
As cybersecurity experts continue to work to get the hospitals fully back online, clinical systems have been restored at four of the facilities, with the exception of hardest-hit Bluewater Health.
There is no timeline for restoring services at Bluewater, said spokesman Keith Marnoch. The hackers stole a database containing information on every individual seen since 1992 – a total of 267,000 patients. The information included their names, dates of birth, addresses and reasons for seeking care. In addition, 20,000 of the patients had their social insurance numbers stolen. Since the attack, the hospital’s diagnostic imaging department has cancelled 5,200 appointments for MRIs, CT scans, mammograms, ultrasounds and other tests as of last week, Mr. Marnoch said, “causing a significant and growing backlog.”
At Windsor Regional, which is responsible for all acute-care services in the border city and is the largest of the five hospitals, the attack has also affected its ability to provide care to patients in myriad ways. It has referred 103 cancer patients for chemotherapy and radiation to other hospitals in Ontario and another 28 to Detroit.
It already had the longest emergency department wait times in Ontario, averaging just over four hours, largely because of a lack of primary-care services in the community on weekends and evenings. It introduced a new compensation system for ER doctors earlier this year, which had cut wait times in half just before the attack, only to see that progress undone.
For Ed Wing, who has been receiving care at Windsor Regional for stage 4 metastatic liver cancer, the cyberattack was “the last straw.” His appointment for a biopsy was cancelled twice earlier in October because of staffing shortages. His third appointment, scheduled for Oct. 25, two days after the attack, was also cancelled.
The 75-year-old retired heating and air conditioning service technician was preparing to pay for a biopsy in Detroit before he got sick with COVID-19.
He finally got one on Nov. 10 at Hôtel-Dieu Grace Healthcare, also in Windsor. The biopsy revealed seven lesions on his liver, requiring him to have a CT scan. But he was told he could not get one until the new year.
At the suggestion of his family doctor, Mr. Wing went to Windsor Regional’s emergency department at 9 a.m. on Nov. 27. He got the scan shortly after midnight after waiting more than 15 hours.
“I have no idea what’s going to happen to me,” he said. “Am I going to get treatment here, or am I going to end up going to the states, to Hamilton, to London?”
As a result of the cyberattack, Windsor Regional has sent Leslie Paterson to the U.S. for cancer treatment. She is undergoing chemotherapy every three weeks at the Karmanos Cancer Institute in Detroit, after surgery in September to remove a second tumour from her breast. She also had breast cancer back in 2012.
The Ontario Health Insurance Plan (OHIP) is paying for her out-of-country care, but each treatment must be approved in advance. The provincial Ministry of Health is working with Windsor Regional to expedite funding approval for treatment outside the country as a result of the cyberattack, said spokesperson Bill Campbell.
Ms. Paterson, 70, said doctors at Windsor Regional ruled out sending her to London, 190 kilometres away, after she said she would worry about being away too long from her 95-year-old mother, who lives in the same apartment building.
“The clinicians and the nurses have been nothing but fabulous,” Ms. Paterson said.
Hospitals hit in the cyberattack have also referred another 50 patients to London Health Sciences Centre’s cancer program. Sunnybrook Health Sciences Centre in Toronto, Canada’s largest trauma hospital, does not break out how many of the 240 patients transferred to it since October came from the hospitals hit in the cyberattack, said spokesperson Joshua Terry. But he said Sunnybrook provided some outpatient support to the five hospitals and helped Windsor Regional treat new cancer patients.
Despite the impact on patients, the only time the five hospitals’ chief executive officers have commented publicly was in a Nov. 17 video statement. Bluewater Health CEO Paula Reaume-Zimmer apologized for the impacts of the breach.
“The fact that this attack targeted a health care facility on the heels of a hard-fought pandemic is sickening,” she said.
The hospitals confirmed on Oct. 31 that they had fallen victim to a ransomware attack by cybercriminals who infiltrated their computer systems and attempted to hold their data hostage for large sums of money. The hospitals said they were working closely with local police departments, the Ontario Provincial Police, the FBI and Interpol.
OPP spokeswoman Gosia Puzio said officers continue to investigate the breach along with other agencies, but she did not provide any updates.
After hospital officials refused the ransom demands, the Daixin Team, a cybercrime group that predominantly targets the health care sector and claimed responsibility for stealing the hospitals’ records, posted some of the information on the dark web, a corner of the internet used for illicit purposes.
“We are not the first health care system to be struck by these bandits and will not be the last,” said David Musyj, the CEO of Windsor Regional, in a November presentation to the hospital’s board of directors.
The hackers obtained patient information from all five hospitals, but the breaches at Bluewater Health were the most extensive. While the hospitals use the same IT provider, TransForm Shared Service Organization, Bluewater is on a different system.
At Windsor Regional, the hackers got partway through the letter A in alphabetic folders identifying patients by name with brief summaries of their medical conditions before computer systems detected the unusual activity and set off an alarm, according to a hospital official.
In addition, the hackers snatched information on employees at Hôtel-Dieu Grace, Erie Shores and Chatham-Kent, including the social insurance numbers of more than 3,000 current and former staff.
Hospitals are increasingly a favourite target of hackers because they have reams of valuable personal information on patients and relatively weak procedures for securing it, said Terry Cutler, the CEO of a cybersecurity company based in Montreal.
Some hospitals avoid installing updates to fix security vulnerabilities in their computer systems because staff need access to patient files 24 hours a day and don’t want to risk network crashes, said Mr. Cutler, who conducts audits for organizations. He said he has encountered hospitals that hadn’t installed such security patches for years, including one that avoided doing so for eight years.
“They just don’t have the proper funding and they don’t have the proper expertise to maintain their environment, unfortunately. That’s the sad reality,” he said.
Half of all reported breaches in Canada in 2019 occurred in health care institutions, according to a report on cyberattacks published in the Canadian Medical Association Journal in November.
Sarnia Mayor Mike Bradley said the Ontario government needs to do more to protect the security of the health care system. “I’ve seen nothing from the province on this at all,” he said.
Mr. Campbell, the Ministry of Health spokesperson, said Ontario Health, the agency that oversees the delivery of health care, issued a directive to all hospitals this fall to begin aligning themselves with a provincial cybersecurity operating model, including technical controls to reduce the risk of attacks.
Toronto Public Library workers’ personal information likely taken in hack
More than half of B.C. businesses in survey reported cyberattacks in past year
A proposed class-action lawsuit accuses the five hospitals and their technology provider of not employing adequate cybersecurity measures. The statement of claim, which has not been tested in court, alleges they “ought to have known that their security policies and practices were inadequate.”
Since filing the lawsuit last month in an Ontario court, lawyer Andro George said hundreds of people affected by the breaches have contacted his office.
As for Ms. Thomas, she is still anxiously waiting to learn whether cancer is growing in her other breast.
“I haven’t been a real nice person to live with the last few weeks.”