Public Notice Regarding Cybersecurity Incident
SCARBOROUGH (May 25, 2022) – Today, Scarborough Health Network (SHN) is issuing a public notice of an incident involving unauthorized access to data contained on several of SHN’s servers.
Patient data contained on a subset of SHN’s servers may have been accessed, including patient ID numbers, names, genders, date of birth, email address, home address, OHIP number, procedure descriptions, lab reports, staff names, physician name and numbers, insurance policy numbers, immunization status and diagnosis information. This could affect both past and present patient data from all SHN hospitals.
It is important to know that if people visited a COVID-19 vaccine clinic that was affiliated with SHN, their data was only uploaded to Ministry of Health servers and was not affected by this incident. The only data related to COVID-19 vaccinations that may have been exposed is for individuals who were actually admitted to an SHN hospital and received in-patient care, where that information was included as part of their patient chart.
As soon as the issue was identified on January 25, 2022, SHN immediately retained a leading third-party cybersecurity team to conduct a detailed investigation and to assist in containing the incident and restoring the security of our systems. We can confirm that the unauthorized actor was shut out of the system by February 1, 2022. Patient data from February 1, 2022 and onward is not at risk.
While the investigation is now complete, SHN and its experts are continuing to closely monitor the situation and have not detected any malicious use of the data that was accessed.
“SHN takes the privacy and security of patient, staff and business contact and personal information very seriously, and we sincerely regret that this incident occurred,” said SHN President and Chief Executive Officer Elizabeth Buller. “I want to assure patients that we acted as swiftly as possible to contain and investigate the incident to ensure that our clinical operations were not impacted. Furthermore, all IT security improvements that were identified as a result of our investigation were immediately addressed.”
SHN has reported the breach to the Office of the Information and Privacy Commissioner of Ontario (“IPC”) to respond to this incident in accordance with best practices and with the Personal Health Information and Protection of Privacy Act (“PHIPA”).
Out of an abundance of caution, SHN reminds current and former patients to be diligent in monitoring accounts, and remaining vigilant for incidents of fraud and identity theft.
To provide additional assurance and protection to all current and former SHN patients, SHN has also retained the assistance of Trans Union of Canada, one of Canada’s leading consumer reporting agencies, to offer two years of credit monitoring services at no cost to anyone who has been a patient at SHN. To activate monitoring, current and former SHN patients can contact the call centre at 1-888-874-2140.
For further details including a thorough Question-and-Answer section, please visit www.shn.ca/publicnotice.