Windsor Hospitals Hit by Devastating Cyberattack: Hackers Expose Millions of Patient Files

A probe by Ontarios privacy watchdog has revealed that hackers used the compromised accounts of three administrators to launch a devastating cyberattack against five hospitals and post millions of patient files on the dark web.

Hackers used the three accounts to infiltrate systems at TransForm Shared Service Organization (TSSO), a shared service provider, then spread their tentacles into the hospital systems, according to the Information and Privacy Commissioner (IPC).

This advertisement has not loaded yet, but your article continues below.

THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY

Subscribe now to read the latest news in your city and across Canada.

• Unlimited online access to articles from across Canada with one account.
• Get exclusive access to the Windsor Star ePaper, an electronic replica of the print edition that you can share, download and comment on.
• Enjoy insights and behind-the-scenes analysis from our award-winning journalists.
• Support local journalists and the next generation of journalists.
• Daily puzzles including the New York Times Crossword.

Subscribe now to read the latest news in your city and across Canada.

• Unlimited online access to articles from across Canada with one account.
• Get exclusive access to the Windsor Star ePaper, an electronic replica of the print edition that you can share, download and comment on.
• Enjoy insights and behind-the-scenes analysis from our award-winning journalists.
• Support local journalists and the next generation of journalists.
• Daily puzzles including the New York Times Crossword.

Create an account or sign in to continue with your reading experience.

• Access articles from across Canada with one account.
• Share your thoughts and join the conversation in the comments.
• Enjoy additional articles per month.
• Get email updates from your favourite authors.

Create an account or sign in to continue with your reading experience.

• Access articles from across Canada with one account
• Share your thoughts and join the conversation in the comments
• Enjoy additional articles per month
• Get email updates from your favourite authors

The report, which also makes several recommendations to boost security, found that the accounts were not equipped with multi-factor authentication, an enhanced way to confirm a persons identity during a virtual sign-in process.

The custodians submitted that the forensic investigation was unable to determine how these accounts had their credentials compromised, IPC investigator Francisco Woo wrote in the report. However, based on the information provided, the compromise of these administrator accounts played a pivotal role in enabling the ransomware attack.

In October 2023, hackers infiltrated and shutdown systems at five southwestern Ontario hospitals, demanding a ransom payment of about U.S. $8 million.

The hackers targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, H�tel-Dieu Grace Healthcare, and Windsor Regional Hospital. When the hospitals refused to pay, the criminals started posting millions of patient files online.

An infamous organized cybercrime gang called Daixin Team, which emerged around the middle of 2022, claimed responsibility for the sustained attack.

The criminals targeted the hospitals through their third-party service provider, TransForm, which ran supply and technology systems for all five hospitals.

The attack did not impact networks not managed by TSSO, including electronic systems hosted locally at each of the hospitals and the clinic, Woo wrote.

The investigator concluded that binding orders or a further formal review are not warranted. But the report offers several recommendations.

The custodians the involved hospitals should review TSSOs early detection process to ensure an incident alert is classified properly and that the initial assessment of the alert is effective, according to Woo.

The report suggests a review of Transforms Ransomware Response Procedure to ensure that it establishes how alerts are classified and the estimated response time to incidents.

Woo further recommends that the response procedure should be reviewed to ensure that it proactively sets out clearer evidence-collection activities, including the types of sources from which evidence could be obtained.

Pending Transforms anticipated implementation of file integrity monitoring, Woo also suggests the hospitals ensure that related risks are adequately evaluated and managed in the interim period.

We are specifically pleased that the IPC has acknowledged the efforts by the hospitals and TransForm Shared Service Organization to contain the breach after it occurred, as well as improvements made in our data and information protections since the time of the ransomware cyberattack, the hospitals said in a joint written statement.

We acknowledge that the IPC has noted concern surrounding the notification of individuals whose data was encrypted by the threat actors.

The hospitals stated that in response to the attack, they issued regular news releases describing the impact on data and operations, participated in multiple press conferences, and directly notified more than 300,000 individuals of the incident.

The hospitals appreciate the IPCs finding that the hospitals appropriately notified those whose personal health information was stolen during this ransomware attack.

But the privacy commission was somewhat critical of how the hospitals handled those public updates and media releases. The investigator found that the public notices did not fully comply with the Personal Health Information Protection Act, which required hospitals to notify people whose personal health information was encrypted by the hackers.

The investigation found that the hospitals notified the public about the exfiltration, or the theft of data.

But Woo said they were also required to adequately inform patients about a hostile encryption the hackers locked the hospitals out of their own systems and patient files while holding them for ransom which they didnt do.

The hostile encryption resulted in the unauthorized use and loss of personal health information of their patients, according to the report.

Woo acknowledged the wide campaign the hospitals undertook to inform the public about the incident. But the investigator added the notices and public releases focused exclusively on the data exfiltration.

They do not acknowledge the hostile encryption event or provide related details, Woo stated. Some public releases make reference to the fact that a ransomware attack occurred and to technical issues experienced at the time of the incident. However, I am not satisfied that this information sufficiently provides notice of the hostile encryption and its impact.

Read More

Due to ongoing litigation the healthcare agencies are facing a $480-million class-action lawsuit the hospitals said they will not comment further and any media requests will be sent to their lawyers.

In an information age where cybersecurity is top of mind across multiple sectors, including public and private sector entities, the hospitals are dedicated to ensuring continued adoption of best practices in an ever-changing global cybersecurity environment, the hospitals said.

With files from Taylor Campbell.

[email protected]

1. Local News
2. Local News
3. Local News
4. Local News
5. Local News