Saturday, September 18, 2021

Ontario home healthcare provider hacked, attacker wants money ‘for telling them how to fix their security’

The attacker would like to portray itself as providing a service, but ransom and blackmail are better words.

CBC News says a person or persons is demanding a payment from CarePartners, an Ontario home care provider, after apparently stealing thousands of detailed digital patient medical records.

“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” CBC says an attacker told it.

To show it actually has data the attacker sent some files to the CBC, which says they include phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province. It also included employee data. The attackers claimed the sample was a part of  hundreds of thousands of patient records and related materials they have going back to 2010.

CarePartners issued a press release June 18 saying it “has become the victim of a cyber-attack by sophisticated actors.” Patients and staff have been notified.

Later someone claiming to be an attacker contacted the CBC. The attackers said that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed.”

“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group told CBC News. “None of the data we have was encrypted.”

Waterloo, Ont. police and the Ontario privacy commissioner are investigating.

The incident is another example of how any organization of any size that holds personal health data can be a target for data thieves and ransom. This data has to be protected with sophisticated  methods. Among other things that could include network segmentation, encryption and multi-factor authentication for those allowed access to that data.

CBC News points out that under Ontario’s Personal Health Information Protection Act, health-care providers are required to “take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information” and ensure that health records are retained securely.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News