Bluewater Health patient and staff data published by hackers


Information stolen in a cyber attack at Bluewater Health is now in the public domain.

The hospital issued a news release Thursday saying “We have become aware that data connected to the cyber incident has been published. We are reviewing the data to determine its contents.”

Oct. 25, TransForm Shared Service Organization – which runs IT, billing and supply services for five hospitals in Chatham-Kent, Windsor-Essex and Lambton including Charlotte Eleanor Englehart Hospital in Petrolia and other health organizations in the region – announced it was having IT problems linked to a cyber attack.

Oct. 27, TransForm said police were investigating the hack and that there was no estimate when services at the hospital will return to normal. By Oct. 31, the investigation revealed the staff and patient data had been stolen.

Thursday, hospital officials said the information had been published. “Our leaders, on advice by our experts that we could not verify claims by the attacker, decided we would not yield to their ransom demands. We are aligned in this position with the governments of 40 nations, including Canada, who have recently pledged to never pay ransom to cyber criminals,” said Bluewater Health in the news release.

The OPP, INTERPOL and the FBI are working with the hospital on the hack. And health care officials said in a news released they “continue to work around the clock to restore systems” but have given no firm timeframe for when that might occur.

Oct. 25, the hospitals started notifying patients some appointments would be cancelled and staff was registering patients who were able to keep appointments with pen and paper.

Bluewater Health has yet to answer any questions about what hospital services have been affected by the hack.

In Windsor, the regional hospital told CBC cancer patients radiation treatments have been transferred to other hospitals not affected by the hack.

The joint statement Thursday added Ontario’s Information and Privacy office has been notified of the breach. That’s one of the requirements for health care providers under the Personal Health Information Privacy Act. It also requires health care providers to take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information.

And health care organizations must “notify you, at the first reasonable opportunity, of the theft or loss or of the unauthorized use or disclosure of personal health information” and “of any uses and disclosures of your personal health information that occurred outside of their information practices and without your consent.”