Held Hostage: Thousands of Patient’s Medical Records Held For Ransom in Ontario Home Care Data Breach
The personal contact information and detailed medical histories of possibly tens of thousands home-care patients in Ontario, Canada are allegedly being held for ransom by hackers who have breached the computer systems of health-care provider CarePartners.
CarePartners is a provider of home medical services that’s contracted by the government of Ontario. The company announced in June that there had been a data breach and that patient’s information had been “inappropriately accessed,” without further elaboration.
A group claiming responsibility for the breach provided a sample of the data they took to CBC News. The sample includes thousands of detailed patient medical records and contact information. Another document shows over one hundred active patient credit card numbers and security codes.
The thieves claimed that the sample is a small percentage of hundreds of thousands of patient records and information that they possess.
“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” they told CBC News.
CarePartners hasn’t answered questions about the ransom and it isn’t known if or when the attackers will post the sensitive data online.
A Forensic Investigation is Underway
CarePartners made a statement that they were contacted by the attackers on June 11th via email with an attachment of an authentic sample of patient and employee data, later verified by the company. A week later, on June 18, the company made a news release notifying patients of the breach. The company stated that they informed the affected employees directly.
The Office of the Information and Privacy Commissioner of Ontario is investigating. “We will be assessing whether the breach could have been prevented, whether adequate steps are being taken to respond to it, and to ensure that systems are in place to help prevent future breaches.”
Under Ontario’s Personal Health Information Protection Act, health-care providers are required to “take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information” and ensure that health records are kept securely.
Violations of the act can lead to prosecution. If found guilty, companies can be fined up to $500,000, and individuals may be fined up to $100,000.
Attackers Claim There Was No Encryption
The attackers claim they discovered and exploited a vulnerability in software that hadn’t been updated in two years. They say that the attack was “completely avoidable” and that none of the data they accessed was encrypted.
CarePartners said it “takes the safeguarding of personal health and financial information seriously” — regularly updating its systems, and depending on a “leading third party” to manage its computers and networks.