The Information and Privacy Commissioner of Ontario (IPC) has completed a review into a massive cyberattack on five regional hospitals in 2023 and found hospital officials acted "adequately."
But in its decision, the IPC said the investigator found the custodians of the information did not notify affected individuals regarding the ransomware encryption and its impact on the patients’ personal health information, which they were required to do under the law.
The hackers stole and disclosed the personal health information of hundreds of thousands of patients at Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital during the ransomware attack in October 2023.
"I find that although the custodians appropriately notified individuals affected by the data exfiltration, they were also required to notify those affected by the hostile encryption, which they did not. Despite this finding, I decide that there is no useful purpose in ordering additional notification at this stage," concluded the IPC. "In light of the measures taken to contain, investigate and remediate the incident, the investigator finds that the custodians have responded adequately to the breach and concludes that a review of this matter under Part VI of the Act is not warranted."
The hospitals issued a joint statement on Wednesday saying they appreciate the IPC’s thorough investigation into this matter and they are pleased that the IPC has acknowledged the efforts by the hospitals and TransForm Shared Service Organization to contain the breach after it occurred.
The hospitals are also pleased improvements made to data and information protections since the ransomware cyberattack were acknowledged by the IPC.
"We acknowledge that the IPC has noted concern surrounding the notification of individuals whose data was encrypted by the threat actors. In response to this incident, the hospitals issued regular news releases describing the impact on data and operations, participated in multiple press conferences, and directly notified more than 300,000 individuals of the incident," read the joint statement by the local hospitals.
The hospital group also noted it is dedicated to ensuring continued adoption of best practices in an ever-changing global cybersecurity environment.
The hospitals added they are unable to comment further due to ongoing litigation.
The investigation revealed the hackers infiltrated TransForm's network by leveraging three compromised administrator accounts associated with the network.
They gained access to health records and other information by leveraging one administrator account to establish external VPN connection to the network. According to the IPC, this account held privileges that allowed access to the entire network, adding the hackers initially entered the network at the "segmented portion" dedicated to Bluewater Health.
The hackers were then able to “live off the land” by gaining access to the network using a legitimate account and avoid detection, said the IPC, adding eventually the hackers used the same account to move and infiltrate deeper into other parts of the network.
Finally, the IPC reported the hackers used a third administrator account, which had access to controls over the local operating system of the overall network, to deploy a script which automatically encrypted the network’s virtual server infrastructure, resulting in the encryption of 192 virtual servers.
The servers affected were mostly servers that supported the hospitals’ clinical care and diagnostic testing procedures and back-office administrative functions.
The investigation also revealed the hospitals' network was not equipped with multi-factor authentication.
"The custodians submitted that the forensic investigation was unable to determine how these accounts had their credentials compromised. However, based on the information provided, the compromise of these administrator accounts played a pivotal role in enabling the ransomware attack," wrote the IPC.
The IPC also noted its satisfaction that the custodians have put in place appropriate measures to contain and remediate the incident and to ensure reasonable safeguards, but it also made recommendations for the custodians to further improve their practices.