An adjudicator with the Information and Privacy Commissioner (IPC) of Ontario has finished a review of the 2023 cyberattack that impacted five hospital groups in the region.
IPC investigator Francisco Woo, in his report, said Transform Shared Services Organization (TSSO), the service provider to the hospitals, which include the Chatham-Kent Health Alliance (CKHA), has taken the right steps in the wake of the attack.
“After reviewing the details of the incident, investigation and the information infrastructure involved, I am satisfied that the custodians have put in place appropriate measures to contain and remediate the incident and to ensure reasonable safeguards,” Wood said in his report.
The attack impacted health records and information systems at Bluewater Health, CKHA, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital.
In the late evening of Oct. 22, 2023, Transform began getting word from its network users that they were having issues with slow response or with logging into applications. The login efforts soon began failing.
Early the next morning, Transform officials discovered a ransomware note from a hacker, which Woo termed a “threat actor.”
Mere minutes later, Transform staff pulled the plug on the entire network. But the hacker had gotten into a number of files.
Cybercriminal group Diaxin claimed responsibility for the attack.
The attack impacted an estimated 69,000 CKHA patients, involving names, addresses, diagnosis, treatment and appointment dates, with a limited number of Ontario health card numbers compromised.
Across the region, more than 300,000 patients were impacted.
Scrubbing and restarting applications took months.
The impacted hospital groups released a joint statement on the IPC report.
“We appreciate the IPC’s thorough investigation into this matter. We are specifically pleased that the IPC has acknowledged the efforts by the hospitals and TSSO to contain the breach after it occurred, as well as improvements made in our data and information protections since the time of the ransomware cyberattack,” the release said.
In his report, Woo said the hackers got into the system through Bluewater Health.
“The threat actor initially entered the network at the segmented portion dedicated to BWH (Bluewater Health),” the report stated. “The threat actor was able to then ‘live off the land;’ in other words, by gaining access to the network using a legitimate account, the threat actor was able to avoid detection. Eventually, the threat actor used the same account to move and infiltrate deeper into other parts of the TSSO network.”
In the wake of the attack, TSSO took steps to increase security.
“To remediate the incident, the service provider implemented additional safeguards to reinforce the security of its systems, including increased detection measures, traffic restrictions and multi-factor authentication,” Woo stated in his report.
Woo also made several recommendations to TSSO.
He suggested a review of the early detection process, its ransomware response procedures and to ensure related risks are evaluated and managed adequately.
In the joint statement by the regional hospitals, officials said they appreciated the IPC investigator’s findings.
“We acknowledge that the IPC has noted concern surrounding the notification of individuals whose data was encrypted by the threat actors. In response to this incident, the hospitals issued regular news releases describing the impact on data and operations, participated in multiple press conferences, and directly notified more than 300,000 individuals of the incident,” hospital officials said in the release. “The hospitals appreciate the IPC’s finding that the hospitals appropriately notified those whose personal health information was stolen during this ransomware attack.”
The IPC’s decision concludes the IPC’s investigation – determining no formal review or orders are required.
Hospital officials said that due to ongoing litigation, there will be no further comment.
To view Woos report, visit https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/521986/index.do
