IPC says Bluewater Health reported data hack four days after it happened


It took Bluewater Health four days to inform by the Office of the Information and Privacy Commission about a ransomware attack.

The ransomware gang Diaxin broke into the computer systems of five hospitals in Southwestern Ontario Oct. 23. Records from over 269,000 patients dating back to 1992 were stolen from Bluewater Health. Another 20,000 social insurance numbers were also stolen.

In a statement to The Independent, officials said Bluewater Health reported the data breach Oct. 27, four days after it happened. The investigation is still active, officials said.

“The IPC has dealt with similar breaches of this size, and investigation times vary based on the complexity of the breach,” officials said in the statement.

“When we investigate a privacy breach, we look to establish whether the breach has been contained, the appropriate people have been notified, and whether corrective action has been taken to address the underlying causes of the breach and put in place reasonable safeguards to protect personal health information for the future.”

The IPC can issue order to organizations, such as Bluewater Health, to take corrective measures. 

And the IPC has the power to fine those responsible for the breach. 

The IPC statement concludes; “Health information custodians need to continually invest in information technology security measures to keep up with evolving risks. 

“They need to plan for cyber attacks by having measures in place to enable early detection and ensure that these systems are continually updated to meet security industry standards and best practices. 

“They must also continuously invest in and reinforce cyber security awareness education to ensure staff are adequately trained in recognizing and responding to cyber threats.”