Data breach at Toronto health network possibly exposed patient information, OHIP numbers

A Toronto health network says some of its servers containing a variety of personal patient information were recently breached.

Leak affects patients at Scarborough Health Network hospitals prior to Feb. 1

The Birchmount Hospital, also known as Scarborough Grace, is one of the hospitals in the Scarborough Health Network. (Google Maps)

A Toronto health network says some of its servers containing a variety of personal patient details were recently breached.

The Scarborough Health Network (SHN), which includes three hospitals and eight satellite sites, said in a statement Wednesday their IT department first noticed "unusual activity" on its servers Jan. 25. Its investigation with cybersecurity experts found past and present patient data may have been accessed.

"We take the privacy and security of business contact and personal information very seriously, and sincerely regret that this Incident occurred," the network said in its statement.

"We can confirm that the unauthorized actor was shut out of the system by February 1, 2022. Patient data from February 1, 2022 and onward is not at risk."

The leak may have impacted anyone who received in-patient care at an SHN hospital prior to Feb. 1, whose data would have been collected for their chart.

The hospital network said it couldn't determine which patients were specifically affected but that it included patients who received care prior to the amalgamation of SHN Centenary Hospital (also known as Scarborough Centenary Hospital), SHN General (also known as Scarborough General), and Birchmount Hospital (also known as Scarborough Grace) under one network in 2016. It also affects patients who received care at hospitals that were part of the former Rouge Valley Hospital Network, including RVHS Ajax and Pickering Campus or Ajax-Pickering Hospital.

Those who only visited a COVID-19 clinic affiliated with SHN were not affected, as their data was uploaded to provincial ministry servers. 

'No indication' data has been misused: SHN

The health network says large swath of information may have been accessed, including their patients' names, dates of birth, marital statuses, home addresses, phone numbers, email addresses, OHIP numbers, insurance policy numbers, lab results, diagnosis information, COVID-19 immunization records. Staff names and numbers may have also been accessed.

There is "no indication that any personal information potentially accessed in connection with the incident has been misused in any way" to date, the hospital network said in the release.

But due to the nature of the information, SHN is warning of potential identity theft and phishing attempts, and says it will not contact anyone by email requesting payment or other sensitive information. They've also notified Ontario's information and privacy commissioner about the incident.

SHN is also offering a two-year subscription to an online fraud monitoring service through TransUnion to all current and former patients, which can be activated anytime before Sept. 30 by calling the SHN call centre.