.jpg)
A group claiming responsibility for a recent cyberattack on an Ontario home medical care services company has revealed that it is holding patient data to ransom.
Last month, CarePartners (a provider of home medical care services on behalf of the Ontario government) announced that it had suffered a data breach. The company initially stated that the personal health and financial information of patients had been “inappropriately accessed” without elaborating any further.
However, recently, an anonymous group contacted CBC News claiming it had carried out the cyberattack. As proof, the group produced a sample of the data that it claims to have accessed.
CBC News reported that the data sample includes thousands of patient medical records, showing phone numbers, addresses, birthdates, healthcare numbers, as well as detailed medical histories. Another one of the documents contained over 140 active patient credit card numbers and expiry dates – many with security codes.
The attackers claimed that the sample was just a subset of hundreds of thousands of patient records and other related materials, which all date as far back as 2010.
“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” the attackers said, adding that they discovered vulnerable software on CarePartners’ network that had not been updated in two years.
“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group explained. “None of the data we have was encrypted.”
In a statement, CarePartners said that it had received an email from the attackers on June 11. Attached to the email was an authentic sample of patient and employee data. It was only a week later – June 18 – that the company issued a release notifying patients of the breach.
The company told CBC News that its investigation has currently identified 627 patient files and 886 employee records that were accessed. The sample obtained by the news outlet, however, appears to have names and contact information for over 80,000 patients.
