The Information and Privacy Commissioner of Ontario has completed a review into Daixin Team's massive cyberattack on five regional hospitals in 2023 and found hospital officials acted “adequately.”

Perhaps the most notable aspect of the report (from my perspective) was that the IPC said the hospitals were obligated to notify patients whose data had been encrypted (and not just those whose data had been exfiltrated). They saw no point in requiring that now, but wanted it noted that it should have happened.

So that seems to be making PHIPA's interpretation clearer for future victims of encryption incidents.

The full report makes an interesting read.

PHIPA Decision 284:
https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/521986/index.do

#PHIPA #notification #incidentmanagement #databreach #ransomware

Unbelievable. Or maybe too believable...

I previously posted about Bolton Walk-in Clinic in Ontario not locking down their patient data despite multiple responsible disclosure alerts (https://infosec.exchange/@PogoWasRight/113589181607493357). Then I reported that Canada's cybersecurity agency contacted me and offered to help (https://infosec.exchange/@PogoWasRight/113589757905504474).

Well, they tried... but got no results either. Bolton Walk-In Clinic is still exposing patient data and didn't even do anything when contacted by Canadian federal police.

If any Canadian news outlet would like to report on this, get in touch. @JayeLTee and I will share the information with you (yes, I just volunteered him too). 😂

Or if anyone is in the vicinity of their clinic, maybe stand outside with a sign that says, "Bolton Walk-In Clinic is leaking patient data and ignoring alerts!" That might get some attention...

Bonus points if you get someone in a Santa outfit to stand outside their clinic with a sign that says "Bolton Walk-In Clinic is naughty -- they are leaking patient data."

#dataleak #negligence #healthsec #PHIPA #HIPA #cybersecurity #databreach #accountability

@hal8999 @brett As the article notes, an offense under #PHIPA can potentially result in imprisonment.

A patient at Woodstock Hospital in Ontario wants to know why the hospital never referred an insider-wrongdoing breach to the police. It's a fair question considering that the improper access affected 56 patients and took place between January and May.

https://www.woodstocksentinelreview.com/news/local-news/patient-frustrated-by-woodstock-hospital-privacy-breach

#databreach #privacy #PHIPA #OIP

@brett

Updating: It looks like Akira removed their listing for Michael Garron Hospital in Toronto, but why they removed it and whether it will remain removed remains unknown:

https://www.databreaches.net/michael-garron-hospital-confirms-some-employee-and-clinician-data-stolen-in-cyberattack-akira-claims-it-stole-882000-files/

#databreach #healthsec #PHIPA #infosec #cybersecurity #incidentresponse

@brett @CBCNews

Daixin contacted me last night that they wouldn't be dumping databases from Transform as quickly as they are busy working on something else. But then this morning I woke up to find a message that for now, they released 300 records from a database for now that they describe as "interesting."

The data are sensitive and confidential info of named patients with their demographic info as well as health-related and account-related info. Many of these entries go back to service dates years ago, but they also included some current records. The records include dozens of fields including what service treated the patient (e.g., surgery, psychiatry) and when patients did not want any info given out about them to family or anyone. That ship has now sailed for them.

#databreach #PHIPA #HealthSec #TransForm #Sarnia #cybersecurity

@brett @BleepingComputer

Update: Sensitive patient data leaked from #TransForm ransomware incident that affects #BluewaterHealth and other Ontario healthcare entities:

https://www.databreaches.net/update-sensitive-patient-data-leaked-from-transform-ransomware-incident/

#HealthSec #Ransomware #infosec #vendor #PHIPA #databreach #cybersecurity

@campuscodi @BleepingComputer @BBC @CBCNews @vxunderground