3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management

5 Ontario Hospitals Still Reeling From Ransomware Attack

Hospitals Can't Access Patient EHRs, Crime Group Says it Has Records of 5.6 Million
5 Ontario Hospitals Still Reeling From Ransomware Attack
Windsor Regional Hospital is among five Ontario hospitals still struggling to recover from an Oct. 23 ransomware attack that hit the facilities' shared IT services provider. (Image: Windsor Regional Hospital)

Five regional hospitals in Ontario, Canada are operating under "Code Gray," meaning they still have no access to patients' electronic health records and other critical data nearly two weeks after an attack on their shared IT services provider. Ransomware group Daixin Team is claiming it stole sensitive data pertaining to more than 5.6 million patients in the campaign.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

TransForm Shared Services Organization confirmed on Tuesday in an updated statement that the Oct. 23 incident involved a ransomware attack that continues to affect the shared IT services group and its five member hospitals - Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital (see: Attack on Shared Supplier Affects 5 Hospitals in Ontario).

"Unfortunately, certain patient, employee and professional staff data has been taken and there is the possibility that the actors responsible for this attack may publish some of the stolen data," TransForm said in the statement issued jointly by the five hospitals. "We continue to investigate to determine the exact data impacted, and any individuals whose data was affected by this cyberattack will be notified in accordance with the law."

The group said it is working closely with law enforcement - including Interpol, the FBI, local police departments and Ontario Provincial Police - and that it has notified "all relevant regulatory organizations including the Ontario Information and Privacy Commissioner."

TransForm did not immediately respond to Information Security Media Group's request for additional details about the incident.

'Sorry, You've Been Blocked'

Visitors to the affected hospitals' websites on Thursday were greeted with the message, "Sorry, you have been blocked. You are unable to access" the sites.

The recorded greeting at Windsor Regional Hospital's main telephone number on Thursday morning advised callers that "the hospitals in our region are experiencing a code gray, which is a systems outage that blocks our access to electronic health records. Please note that our investigation may take our cybersecurity experts some time to complete. We have limited information and thank you for your patience."

TransForm in the joint statement said the hospitals will continue "to do their best" to contact patients directly in advance if they have a scheduled appointment at one of the affected facilities that needs to be rescheduled. "If patients do not need emergency care, we ask that they please attend their primary care provider or local clinic," the statement said.

Canadian news outlet CBC reported Tuesday that some cancer patients of the affected hospitals were being sent to other facilities for their radiation treatments.

"We understand the impact this incident is having on members of our community, including patients and our employees and professional staff, and deeply apologize for the inconvenience this has caused," TransForm said in the joint statement.

Meanwhile, cybercriminal group Daixin Team on Wednesday began leaking data on its dark web site that it had stolen from the five hospitals. The group also claimed to have destroyed backups as part of the attack, according to blog site DataBreaches.net.

The cybercriminals said that that the exfiltrated data stash includes 160-gbytes of "sensitive documents," more than 5.6 million patient records containing personal identifiable and health information. That includes names, birthdates, medical record numbers, Social Security numbers, patient account numbers, and medical and treatment details.

"While Daixin's claims do not seem particularly implausible, there could certainly be elements that are untrue or exaggerated in order to put the hospitals under additional pressure," said threat analyst Brett Callow of security firm Emsisoft.

"Unfortunately, I don’t believe that we can defend our way out of the ransomware problem and that it will be with us until if and when the payment of ransom demands is prohibited," he said. "As that seems unlikely to happen any time soon, the reality is that these attacks - which potentially put lives at risk - will continue. It's not a matter of if another hospital will be hit; it's a matter of when."

Prior Warning

Daixin Team was also the subject of a joint alert sent to the healthcare sector in October 2022 by the FBI, the U.S. Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency.

At that time, the agencies warned that the ransomware group had been targeting the healthcare sector since at least June 2022 with attacks encrypting servers supporting healthcare services, including EHRs, diagnostics, medical imaging and intranet services - as well as exfiltrating patients' sensitive with threats to release the information if a ransom is not paid (see: Security Alert: Daixin Ransomware Targets Healthcare).

As of Thursday, dark web monitoring firm Darkfeed counted at least 11 recent Daixin Team victims.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.