Toronto health network data breach compromises patient information

Network includes three hospitals and eight satellite sites

Toronto health network data breach compromises patient information


By Lyle Adriano

A Toronto-based health network comprised of three hospitals and eight satellite sites has confirmed that its patient data was recently breached.

The Scarborough Health Network (SHN) issued a statement earlier this week that said its IT department first detected "unusual activity" on its servers on January 25. An investigation with cybersecurity experts revealed that both former and current patient data may have been compromised.

"We take the privacy and security of business contact and personal information very seriously, and sincerely regret that this incident occurred," SHN said in a statement, adding that the “unauthorized actor” was shut out of its system by February 01, and that patient data from February 01 and onward is “not at risk.”

The network also said that it currently could not determine which patients were affected by the breach, but pinpointed those who received care from SHN before it amalgamated with SHN Centenary Hospital (also known as Scarborough Centenary Hospital), SHN General (also known as Scarborough General), and Birchmount Hospital (also known as Scarborough Grace) in 2016. Patients who received care at hospitals that were part of the former Rouge Valley Hospital Network – which include RVHS Ajax and Pickering Campus, as well as Ajax-Pickering Hospital – are also affected.

As reported by CBC News, patients who visited a COVID-19 clinic affiliated with SHN have not been affected, since their data was uploaded to provincial ministry servers.

SHN said that information such as patients' names, dates of birth, marital statuses, home addresses, phone numbers, email addresses, OHIP numbers, insurance policy numbers, lab results, diagnosis information, COVID-19 immunization records, as well as staff names and numbers were potentially accessed. However, it stated that there is "no indication that any personal information potentially accessed in connection with the incident has been misused in any way.”

The network is offering a two-year subscription to an online fraud-monitoring service through TransUnion for those affected.

Earlier this week, another healthcare facility reported a cyber incident – Arnprior Regional Health (ARH). The non-profit-run hospital revealed that the perpetrators of the breach potentially accessed sensitive patient information, which includes their names, dates of birth, contact information, health card numbers, recent hospital visits, and diagnoses. Even individuals who are on ARH’s waitlists, who attended mass vaccination clinics, or were contacted by flu clinics were impacted by the breach, as their information was also compromised.

Keep up with the latest news and events

Join our mailing list, it’s free!