Heather Wright/The Independent

The criminal organization which hacked into Bluewater Health’s computer system says the patient data it took has been sold.

But cyber security experts say it may just be another ploy to extract cash from people whose information was taken.

Oct. 23, Diaxin broke into the computer systems at Bluewater Health and four other hospitals in the region through TransForm Shared Services.

All the hospitals had some information taken and all hospitals systems were affected delaying everything from surgeries to MRIs and CT scans and routine testing. But Bluewater Health bore the brunt of the attack with information from over 269,000 patients visits since 1992 and 20,000 social insurance numbers taken.

Diaxin claimed responsiblity for the ransomware attack and started dumping the information on the dark web when Bluewater Health and the other hospitals said they would not pay to have their systems restored.

The information had been circling the dark web – including sensitive details of things such as people’s medical and mental health issues with Diaxin peddling it for sale saying the private information can be used to “commit a variety of crimes including opening new financial accounts, taking out loans in, using to obtain medical services, using health information to target other phishing and hacking intrusions based on their individual health needs, using information to obtain government benefits, filing fraudlent tax returns using information, obtaining drivers licences in names but with another person’s photograph and giving fals information to police during an arrest,” Diaxin says in a dark web advertisement offering the information up.

It added the information included “names, dates of birth, medical record numbers, patient account numbers, social security number and medical and treatment information.”

Recently, Diaxin posted that the data had been sold.

Brett Callow is a Threat Analyst with Emsisoft – an international security firm. “The data may not have been sold at all, and Daixin could simply be making the claim in an attempt to put their future victims under additional pressure,” he said in an email to The Independent.

“That said, people (affected should) hope for the best and plan for the worst. In other words, they should assume the data was sold and will be misused and take appropriate steps.”

Bluewater Health has offered credit watch protection for the 20,000 people – mostly people who had WSIB claims – for two years.

Canada Revenue Agency warns people not to provide SIN numbers on job applications or rental agreements saying in the wrong hands, your SIN could lead to an invasion of privacy, identify theft, loss of government benefits, tax refunds or bank credits

If someone uses your SIN to commit fraud, it could ruin your credit rating according to the CRA website. Someone could also use your SIN to work illegally.

In this case, the Canada Revenue Agency may expect you to pay tax on income you did not receive.
It adds if you have been affected by a data breach, contact Canada’s 2 major credit bureaus to monitor your file; Equifax: 1-800-465-7166 and TransUnion: 1-800-663-9980

Regularly review your banking and credit card statements, especially after the credit monitoring service ends.

If you notice any suspicious activity, immediately report it to the police, contact the Canadian Anti-Fraud Centre, and inform Service Canada to reduce the potential impact.

Bluewater Health is still operating with some restrictions. Patient information is not always available and over 3,500 people have had procedures and tests postponned.

The hospital says it may be mid-December before the systems return to normal.