CEOs of Ontario hospitals hit by ransomware attack break down impact on operations, patients
For the first time, top leadership from the five southwestern Ontario hospitals hit by a ransomware attack answered questions from the media — acknowledging the significant impact the incident has had on care, as well as the large amount of stolen data.
During the roughly 50-minute meeting on Friday, each hospital CEO said their facility has been hard hit by the Oct. 23 attack, but recovery is ongoing and they’re getting by with the hard work of staff. With systems down and hospitals unable to access critical information, thousands of patient appointments have been cancelled across the five hospitals, creating backlogs of varying lengths at some of the facilities.
Some of the institutions also said they have started reaching out to the thousands of patients and staff whose information has been leaked onto the dark web. The hospitals are providing those impacted with a free credit monitoring service.
The hospital CEOs also stood behind IT provider TransForm, saying they are “confident” the group is working hard to get systems back online, with a priority on clinical services.
“We apologize for this. And we apologize for the inconvenience this has had and the issues this has caused for the patients in our community,” said Windsor Regional Hospital CEO David Musyj.
“But I can tell you individually and collectively, our focus is on them and our focus is on our staff to regain that trust.”
Here are the latest updates each hospital shared.
Bluewater Health
Bluewater Health in Sarnia said that without access to its systems, “there has been an impact on our families and patient experience.”
CEO Paula Reaume-Zimmer said urgent and emergency cases have been prioritized, and as a result, their diagnostic imaging department has had to cancel more than 3,500 appointments, causing a “significant and growing backlog.”
It’s unclear how long patients will be waiting to get their appointment, she said.
She added that staff have been notifying patients of changes to their appointments, but in some cases, the patient hasn’t been told until they have arrived at the hospital.
She also said labs in the Sarnia and Petrolia regions are deferring walk-in, non-urgent cases to deal with emergent ones.
Out of all the affected facilities, Bluewater Health has had the greatest amount of patient information leaked onto the dark web.
As a result of the cybercriminals gaining access to a patient database, information on all of Bluewater Health’s 267,000 patients who have attended the facility, and its predecessors, since 1992 has been compromised.
Starting Friday, Reaume-Zimmer, said staff are reaching out to about 20,000 patients who have had their social insurance numbers (SINs) compromised.
The hospital said in a news release Friday that it has opened a phone line dedicated to dealing with this. It advises anyone who visited the hospital as of November 1999 for a work-related injury, such as a Workplace Safety and Insurance Board claim, to phone (519) 346-4604.
As of Friday, the phone lines will be available from 9 a.m. to 5 p.m.
The hospital also notes people should be aware of ongoing scams and not provide their SIN over the phone.
Reaume-Zimmer said there is still additional stolen information that they are still investigating.
Windsor Regional Hospital
Windsor Regional Hospital CEO David Musyj said diagnostic imaging and their curative radiation treatments took the largest hit during this attack.
Musyj said the number of diagnostic imaging appointments for a CT scan or MRI that need to be rescheduled are “into the thousands.” For other imaging, he said, they are working to get these appointments done through community partners.
He added though surgeries were postponed, they got back on track a few days after the cyberattack.
As of Friday, the hospital said its curative radiation treatments are back up to full capacity.
The hospital said that for patients who had to go elsewhere to get their treatment, they are being told to complete their treatment at the location they started at for continuity of care and to avoid further delays.
On Nov. 6, the hospital said in a news release that some patient data was breached and that included their name and a summary of their medical condition. It had also said some employee information was impacted, though that doesn’t appear to include SIN or banking information.
Hôtel-Dieu Grace Healthcare
Services and programs at Windsor’s Hôtel-Dieu Grace Healthcare, according to CEO Bill Marra, have not been impacted by the cyberattack. He added that while there has been some efficiency and timing issues, all of their inpatient and outpatient programs have been running.
Marra said the hospital is only aware of an employee database being stolen, which included information on 1,396 current and former employees. These are workers who started their employment at the hospital as of Nov. 4, 2022.
Full names, SINs and basic rates of pay were stolen, according to Marra, who added that they aren’t aware of any banking information having been taken. He said these people will be receiving a letter in the mail.
“Our resiliency has been once again tested by way of a crisis and once again we demonstrated that we put our people, our patients, our clients and our community first,” he said.
Erie Shores Healthcare
Kristin Kennedy, CEO of Erie Shores Healthcare in Leamington, said the biggest impact has been on their diagnostic imaging, with ultrasounds, CT scans and mammograms having to be rescheduled. Some of these appointments have been delayed by six weeks.
X-rays and nuclear tests, according to Kennedy, have continued.
By the end of November, Kennedy said, they anticipate that full capacity for imaging will be restored and that by the end of December, services will have fully resumed.
Kennedy said the reason for the delays is that radiologists have limited capacity to read the images.
She said to mitigate this issue, they are creating a separate system to “fill the current gap,” and this system will provide “redundancy” that will protect the imaging services against similar issues in the future.
The information of 350 current and previous staff members was stolen, according to Kennedy. In particular, she said, their names and SINs have been taken. The employees worked during two pay periods, June 2019 and January 2020.
She added that banking information is not part of this.
Kennedy said they are still looking at remaining data that might have been leaked.
Chatham-Kent Health Alliance
CEO Lori Marshall said that in the first few days of the attack, surgeries and procedures were rescheduled, but since then, the hospital has returned to “more normal” volumes.
The hospital said it has deferred new chemotherapy patients to London, but will transition those patients back once their systems are up and running.
Stroke patients have also been sent via ambulance to either Windsor Regional Hospital or London Health Sciences Centre.
Marshall said the hospital is relying on community partners to help them do imaging, but cancer patients with imaging needs are being sent to London.
“In times like these, it is easy to feel overwhelmed and frustrated and vulnerable. The impact of the cyberattack extends far beyond the digital realm and when it affects an institution like a hospital, we know that it has real-life impacts,” she said.
As for the data that has been leaked, Marshall confirmed a database report containing information on about 1,446 employees, who started working at the organization as of Feb. 2, 2021, was breached.
The information stolen includes names, addresses, SINs, gender, marital status, date of birth and pay rates. Marshall said no banking information was taken.
Marshall said these employees will be notified by the end of this week and early next week.
Hospitals address transparency concerns
Since the cyberattack took place, hospital IT provider TransForm and the impacted hospitals have released eight joint news statements.
CBC News has repeatedly asked for interviews or the opportunity to ask questions during the last four weeks, but has been declined.
Friday was the first time the hospital CEOs took questions from the media.
Before reporters asked questions, a spokesperson for one of the hospitals said that for “security reasons,” CEOs could not comment on the specific actions of the cybercriminal or the steps being taken to secure the new system.
When asked why CEOs waited four weeks to speak about the situation, as well as why they haven’t been more forthcoming with answering questions, Marra of Hôtel-Dieu Grace said he believes the hospitals have been very transparent.
In addition to several news releases, Marra said “our communication has been with our people, our patients, working with the privacy commissioner, having town halls, meeting with our staff one on one on the units, issuing letters and notices.”
“So there has been transparency. It may not meet the standard of some people, but we have done an exceptionally good job, in a very responsible and safe way, to not further compromise what we’ve already experienced,” he said.
He added they’ve had to protect the integrity of ongoing police investigations.