Information and Privacy Commission report says patient data lock down by hackers ‘overshadows the scale of data’ stolen and sold on the dark web

Heather Wright/The Independent

Ontario’s Information Privacy Commissioner says Bluewater Health should have notified every single patient whose data was locked down, but not released, that their information was affected during the October 2023 cyber hack.

That from the report issued Friday by Francisco Woo, an investigator in the Office of the Commissioner.

Woo’s 35-page report examines whether Bluewater Health, its IT provider TransForm Shared Services and the four other regional hospitals affected by the Oct. 22 attack followed the notification rules set out in the Personal Health Information Protection Act.

Woo’s report says users of the system first alerted TransForm Services late in the evening Oct. 22 that the system was slow. There was two hours between when computers slowed until remote logins began failing and TransForm Services knew something was wrong. Three days later, TransForm and the hospitals notified the public of the hack. The group notified the Information and Privacy Commissioner patient data might have been taken Oct. 27.

The hackers known as Daixin stole 5.6 million pieces of information from 267,000 patient services.

Woo says bout 150 gigabytes of stolen information was placed on the dark web for sale. That included patients names, addresses and contact information. About 20,000 patients Social Insurance Numbers were also taken along with photos of their operations, notifications to OHIP and insurance companies, residential withdrawal management patient charts, and financial information.

Daixin also left behind ransomware hoping to extract cash from the hospitals. That didn’t happen.

The ransomware locked up 192 virtual servers at TransForm with more than 800 terabytes of data, according to Woo’s report. For reference, one terabyte of data can store 1,000 copies of the Encyclopedia Britannica which has about 33,000 pages.

“It was reported that the amount of the encrypted data, which included program and system files, exceeded 800 terabytes. While it is unclear what proportion constitutes the personal health information of patients, the overall scale of the encrypted data significantly overshadows the scale of data exfiltrated (stolen) in this attack,” writes Woo.

The IPC investigator found that while the hospital adequately notified the 267,000 patients whose data had been taken and later sold, it didn’t notify patients whose data was locked up and unavailable for use.

Woo says under the Personal Health Information Protection Act, information custodians have to notify people of a breach at the first reasonable opportunity. But lawyers for the hospitals and TransForm said that wasn’t necessary in the case of the encrypted data locked by the hackers since it was clear no one had viewed it.

Woo cited other cases which found data which had been encrypted without the knowledge of the patient was both “unauthorized use” and “loss” of personal health information.

“BWH temporarily lost access to its own EMR (electronic medical records) containing patient data,” Woo writes. “Not recognizing the encryption event as a loss would imply that individuals would be left uninformed of the incident in which a malicious third-party compromised the custodians’ control over personal health information.

“The statutory duty (of the hospitals) to notify (patients) underscores the fundamental understanding that personal health information “belongs” to the individuals to whom it relates and that they are entitled to know what happens to it in the custody or control of custodians to whom the information is entrusted, particularly where malicious actors are involved.”

The investigator acknowledged Bluewater Health undertook a “wide campaign” to notify the public about the stolen information “I am not satisfied that this information sufficiently provides notice of the hostile encryption and its impact.”

Woo said giving that notification to patients whose data had been locked by the hackers would have provided them with “a more transparent and comprehensive account of the incident.”

While Woo found the hospital failed to officially notify the patients whose data was encrypted originally, he says they will now be informed by this decision and can ask for more information from the hospital if they require it.

And Woo said it would serve “no useful purpose” to order TransForm and the hospitals to issue additional information.