Skip to main content

Major data breach at Queensway Carleton Hospital could affect 100,000 patients

Share

The personal and health information of about 100,000 Queensway Carleton Hospital patients could be affected by a major data breach, the hospital said Friday.

The breach involves the hospital's use of an Ottawa company's cloud-based platform over a two-year period starting in March 2021.

That company, Aetonix, discovered early last month that an unauthorized third party gained access to an internal test environment where personal health information was stored, the hospital said in a statement on Friday.

"Following a thorough review of the incident, Aetonix’s forensic investigation has concluded that the incident may have resulted in your personal health information being accessed or copied by an unauthorized third party," the hospital said.

"Patient data that may have been impacted include: patient ID numbers, patient visit ID (Account/Encounter number), patient name, gender, date of birth, marital status, mother tongue, home address and postal code, phone number, email address, OHIP number and version, insurance policy number, health care providers, scheduled surgical appointments, past medical history, and procedure description."

The hospital said it has stopped using the platform and there's no evidence the information has been misused.

"QCH takes the privacy and security of personal information very seriously, and we sincerely regret that this incident occurred."

The hospital is sending individual letters to about 100,000 patients who may potentially be impacted. The hospital says its electronic medical records and patient portal were not impacted and no financial or banking information was accessed.

Anyone who got a COVID-19 vaccine at a QCH-affiliated clinic also wouldn’t be affected – that data was uploaded straight to provincial ministry of health servers.

"We want to stress that neither QCH nor Aetonix are aware of any misuse of this information and Aetonix’s investigation could not confirm whether any unauthorized person actually viewed or copied your information," the hospital said.

COMPANY NOTIFIED LAW ENFORCEMENT

In a statement, Aetonix said all data uploaded to its aTouchAway platform by Canada-based health care providers, patients and caregivers prior to Feb. 23 may have been compromised.

"This incident was a result of data being present in a location where it should not have been stored, and which should not have been accessible via the public web," the company said.

Aetonix said law enforcement was notificed on March 17. The Ontario and Alberta information and privacy commissioners, along with the Manitoba ombudsman, were informed on March 20.

The company said its platform is still safe to use.

The hospital was using the aTouchAway platform to provide virtual communication services, care pathways, and remote patient monitoring for QCH patients.

HOSPITAL RETAINS TRANSUNION

The Queensway Carleton says it has retained TransUnion, a consumer reporting agency, so affected patients can register for a credit monitoring service at no cost.

The service will provide unlimited online access to the TransUnion credit report, which is primarily used to detect identity theft or fraud. It also includes identity theft insurance.

For more information, you can read the hospital's public notice here.

DIFFERENT FROM OTHER BREACHES

Technology analyst Carmi Levy tells CTV News Ottawa that the breach at QCH differs from some breaches already seen in the past.

“Compared to other breaches that we’ve seen, this one is someone different because it doesn’t involve the organization itself,” he said. 

"Because we live in a world where companies now subscribe to software, subscribe to technology services in the cloud, this is a major problem because no matter who you’re connected to, you have to ask yourself the question are they secure as well?"

Levy says people should watch their accounts of signs of suspicious activity, such as increased phishing emails or text messages. 

Ottawa Health Coalition co-chair Ed Cashman says this breach should be a concern for everyone.

"Not just patients, but the government and the hospitals. The reason being this is happening too many times and it’s happening everywhere," he says. "Potentially, it's the most intimate details of your life that are being exposed."

CTVNews.ca Top Stories

Video shows B.C. grizzly basking in clawfoot tub

A donated clawfoot bathtub has become the preferred lounging spot for a pair of B.C. grizzly bears, who have been taking turns relaxing and reclining in it – with minimal sibling squabbling – for the past year.

Biden tests positive for COVID, will self-isolate in Delaware

U.S. President Joe Biden, under pressure from fellow Democrats to drop his re-election campaign, tested positive for COVID-19 while visiting Las Vegas on Wednesday and is self-isolating after experiencing mild symptoms, the White House said.

Stay Connected