This article is more than 1 year old

Will this biz be poutine up the cash? Hackers demand dosh to not leak stolen patient records

Tens of thousands of Canadian medical files, healthcare worker details snatched

Hackers say they will leak patient and employee records stolen from a Canadian healthcare provider unless they are paid off.

The records include medical histories and contact information for tens of thousands of home-care patients in Ontario, Canada, and belong to CarePartners.

The biz, which provides home medical care services on behalf of the Ontario government, admitted last month that it had been hacked, and its documents copied. At the time it only acknowledged that personal health and financial information of patients and employees had been "inappropriately accessed.”

A gang claiming to be behind the network intrusion then approached CBC News with a sample of the swiped data. That bundle reportedly included thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the Canadian region.

A separate document supplied by the miscreants contained, we're told, 140 active patient credit card numbers and expiry dates, many with security codes. Samples of snatched worker files were also offered.

Doctors run to save patient. Photo by Shutterstock

Medic! Orangeworm malware targets hospitals worldwide


The crooks boasted they are sitting on a cache of hundreds of thousands of such records dating back to 2010, and are demanding money to keep a lid on the files. "We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online," the cyber-fiends said.

CarePartners bosses said they are working with the Herjavec Group, a cybersecurity firm, to investigate the hacking. It declined to comment further due to an ongoing probe by Waterloo Police into the matter.

In the meantime, it is working with Ontario's health integration networks (LHINs) — provincial government agencies that contract out home-care services, such as nursing, to commercial firms such as CarePartners – in notifying affected patients and other parties.

Data privacy watchdogs at the Office of the Information and Privacy Commissioner of Ontario said they were “assessing whether the breach could have been prevented, whether adequate steps are being taken to respond to it, and to ensure that systems are in place to help prevent future breaches," CBS News added. ®

More about


Send us news

Other stories you might like