Toronto’s Hospital for Sick Children is still dealing with a cybersecurity incident so serious it declared a ‘Code Grey’ — meaning an IT system failure.
On Monday, the hospital said the incident appears to have only impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages.
“All patient care is continuing while SickKids investigates and works to resolve the situation,” the hospital said in a statement.
“Upon learning of this incident, we immediately activated the hospital’s incident management command centre and launched an investigation to determine the nature and scope of the incident. At this time, the incident appears to have only impacted a few internal clinical and corporate systems, as well as some hospital phone lines and webpages. Downtime procedures have been activated where needed.”
It has notified the province and expert third parties to resolve the incident as soon as possible.
For now, the public may experience difficulties calling into the hospital, and accessing some webpages such as AboutKidsHealth.ca (SickKids’ health information site) and the hospital’s Careers application portal, the hospital said.
Because of the sensitive nature of their work, criminals have targeted hospitals for some time, believing they are susceptible to being extorted, either because they are privately-run and therefore have money, or because they are heavily subsidized by governments and therefore have access to money.
One of the biggest cyber attacks on a healthcare system in Canada took place in 2021 on the health network of Newfoundland and Labrador. In addition to disrupting hospital services, over 200,000 files were copied from a network drive in what is widely believed to have been a ransomware attack. A file can be opened each time a patient visits a hospital, so the number doesn’t necessarily represent 200,000 people.
In May, news services reported that Toronto’s Scarborough Health Network said it had suffered a cyber incident five months earlier. Patent data, including ID numbers, names, genders, birth dates, email addresses, home addresses, OHIP numbers, lab reports, procedure descriptions, insurance policy numbers, immunization statuses, diagnosis information, as well as staff names, physician names and numbers, may have been accessed.