Dear SHN Community,
SHN recently experienced a cybersecurity incident that involved unauthorized access to data contained on several of our servers (the “Incident”). We take the privacy and security of business contact and personal information very seriously, and sincerely regret that this Incident occurred. As soon as the issue was identified, SHN immediately retained a leading third-party cybersecurity team to conduct a detailed investigation and to assist in containing the Incident and restoring the security of our systems. We can confirm that the unauthorized actor was shut out of the system by February 1, 2022. Patient data from February 1, 2022 and onward is not at risk. While the investigation is now complete, we are continuing to closely monitor the situation and have not detected any malicious use of data that was potentially accessed.
We understand that a situation like this may create stress and anxiety about the safety of your personal information. Accordingly, we want you to know a few important things.
What Happened
On January 25, 2022, SHN’s IT personnel noticed indications of unusual activity on its systems and immediately took steps to contain and investigate the Incident with the help of leading third-party cybersecurity experts.
This investigation identified that past and present patient data contained on a number of SHN’s servers may have been accessed. This includes patients of pre-amalgamation SHN institutions. The data potentially accessed may include:
- Patient ID numbers
- Patient name, gender, date of birth, marital status, home address and postal code, phone number, email address, OHIP number and version, insurance policy number, and presenting complaint (i.e., for first responder)
- Provider names
- Provider (HCP Health care provider) and CPSO (College of Physician and Surgeons of Ontario) numbers
- Procedure description/ordered performed
- Orders
- Results
- Attending and/or ordering physician names, numbers
- Medical/clinical/diagnosis information/findings/reports
- Lab reports/results
- COVID-19 treatment and immunization records for those admitted to SHN
- Staff names and numbers
- It is important to know that if people visited a vaccine clinic that was affiliated with SHN, their data was only uploaded to Ministry of Health servers and was not affected by this incident. The only data related to COVID-19 vaccinations that may have been exposed is for individuals who were actually admitted to an SHN hospital and received in-patient care, where that information was included as part of their patient chart.
- To-date there is no indication that any personal information potentially accessed in connection with the Incident has been misused in any way.
- What We Are Doing
- SHN took multiple steps to contain and remediate the Incident:
- Upon learning of the Incident, we immediately sought to contain it by severing access to the Internet and several third-party networks, while maintaining our highest possible standards of patient care.
- We engaged a leading cybersecurity team to conduct a detailed investigation into what happened and work around-the-clock to remediate the Incident.
- Our IT team further strengthened existing security controls and maintained constant monitoring across the SHN environment to limit the risk of this kind of incident happening again.
- In compliance with provincial requirements, the Information & Privacy Commissioner of Ontario has also been notified.
What We Are Doing
SHN took multiple steps to contain and remediate the Incident:
- Upon learning of the Incident, we immediately sought to contain it by severing access to the Internet and several third-party networks, while maintaining our highest possible standards of patient care.
- We engaged a leading cybersecurity team to conduct a detailed investigation into what happened and work around-the-clock to remediate the Incident.
- Our IT team further strengthened existing security controls and maintained constant monitoring across the SHN environment to limit the risk of this kind of incident happening again.
- In compliance with provincial requirements, the Information & Privacy Commissioner of Ontario has also been notified.
What You Can Do
Given the complexity of the Incident, unfortunately we are unable to provide individuals with information about the specific data accessed. However, as a courtesy to all SHN current and former patients, we have retained the assistance of Trans Union of Canada, Inc. (“TransUnion”), one of Canada’s leading consumer reporting agencies.
Through TransUnion, we have arranged a two-year subscription to TransUnion myTrueIdentity, an online monitoring service, at no cost to you. If you choose to register, this credit monitoring service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the myTrueIdentity portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.
We encourage you to take advantage of this service and help protect your identity. To gain access to the service, please contact 416-284-8131 ext. 7782. SHN will not have access to any of your credit information if you elect to participate in this program. If you elect to participate, you may activate this two-year service any time prior to September 30, 2022.
Upon completion of the enrollment process, you will have access to the following features:
- Unlimited online access to the TransUnion Credit report, updated daily. A credit report is a snapshot of a consumer’s financial history and primary tool leveraged for determining credit-related identity theft or fraud.
- Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily. A credit score is a three-digit number calculated based on the information contained in a consumer’s credit report at a particular point in time.
- TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file. In today’s virtual world, credit alerts are a powerful tool to protect against identity theft, enable quick action against potentially fraudulent activity, and provide overall confidence to potentially impacted consumers.
- Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
- Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.*
- Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.
*Underwritten by AIG Insurance Company of Canada.
Although there is no indication that any information involved in the Incident has been misused, we would like to remind you to be diligent, as always, when protecting your identity by monitoring your accounts and remaining vigilant for incidents of fraud and identity theft. You should also be mindful of phishing attempts and take care when responding to unsolicited communications (whether electronic or otherwise) that reference or request your personal information or account credentials.
SHN will not contact you by email requesting you to provide or verify sensitive personal information. When in doubt or if you have any concerns about the validity of any emails SHN sends, please contact us as indicated below.
What Else You Can Do
As a precautionary measure, we strongly suggest that you contact your bank, credit card company, and relevant government offices to advise them that you may have been affected by this Incident. We recommend you monitor and verify all your bank accounts, credit card and other financial transaction statements for any suspicious activity.
If you suspect misuse of your personal information, you can obtain a copy of your credit report from a credit reporting bureau to verify the legitimacy of the transactions listed.
- Equifax at 1-800-465-7166 or www.equifax.ca
If you are concerned that you may be a victim of fraud, you may request these bureaus place a fraud alert on your credit files instructing creditors to contact you before opening any new accounts.
If your health card number has been affected by the Incident, you should call ServiceOntario INFOline at 1-866-532-3161 or 1-800-387-5559 to report your lost or stolen health card number. If you suspect misuse of your health card number, you can report suspected cases of fraud by calling the Ministry of Health and Long-Term Care at 1-888-781-5556 or e-mail at reportohipfraud@moh.gov.on.ca.
You may also wish to review this publication from the Information and Privacy Commissioner of Ontario, Identity Theft: A Crime of Opportunity.
For More Information
Again, we regret that this Incident occurred and apologize for any inconvenience it has caused.
If you have any questions regarding this Incident or if you desire further information or assistance, contact us at 416-284-8131 ext. 7782. You are also entitled to file a complaint to the Office of the Information and Privacy Commissioner (IPC) of Ontario.
Should there be any further information about this Incident and your personal information, we will provide updates on this webpage.
Sincerely,
Scarborough Health Network
On January 25, 2022, SHN’s IT personnel noticed unusual activity on its systems (the “Incident”). We immediately took steps to contain and secure the SHN environment and investigate the Incident with the help of leading third-party cybersecurity experts. This investigation determined that the Incident involved unauthorized access to a subset of data contained on a number of SHN’s servers. As of the date of this notice, there have been no signs of malicious activity since the Incident was discovered and containment activities were commenced.
January 25, 2022.
Upon learning about the incident on January 25, we reported to the Office of the Information and Privacy Commissioner (IPC) of Ontario on February 1, 2022 as well as key third-party stakeholders of SHN.
We immediately worked to contain the incident, understand its scope, and retained leading third-party cybersecurity experts to undertake a full investigation. Given the complexity of this Incident, a comprehensive investigation took time and we wanted to ensure we understood all the facts and appropriate remedies in order to provide accurate information to our patients, SHN team members, and stakeholders.
We understand that a situation like this can create stress and anxiety about the safety of your personal information as a patient (past or present) of SHN. While we are continuing to monitor with the help of third-party experts, there is no indication that any information involved in the Incident has been misused. However, it is possible that some of your personal information or personal health information may have been affected. Unfortunately, given the complexity of the Incident, we are not able to determine which individuals were directly impacted.
As a result, we are advising individuals to be diligent in protecting their identity by monitoring their accounts and remaining vigilant for incidents of fraud and identity theft. You should also be mindful of phishing attempts and take care when responding to unsolicited communications that reference or request your personal information or account credentials. SHN will not contact you by email requesting any sensitive personal information.
If you have any concerns about the validity of any emails SHN sends, please contact us. If you have any questions regarding this matter, please contact cybersecurity@shn.ca (officeofthecto@shn.ca).
It is important to know that if people visited a vaccine clinic that was affiliated with SHN, their data was only uploaded to Ministry of Health servers and was not affected by this incident. The only data related to COVID-19 vaccinations that may have been exposed is for individuals who were actually admitted to an SHN hospital and received in-patient care, where that information was included as part of their patient chart.
The EPIC and MyChart services were not impacted and remained online during the incident.
While we initially took our systems offline during containment, remediation and investigation activities, our clinical operations, including essential clinical systems, remained available to serve our patients.
As of the date of this notice, there have been no signs of malicious activity since the Incident was discovered and containment activities were commenced.
Our clinical operations, including essential clinical systems, remain available to serve our patients. While cybersecurity incidents can happen to any type of organization, SHN has engaged the resources necessary to fully and properly investigate what happened.
Because of the particular types of personal information and personal health information impacted as a result of this Incident, there may be a risk of identity theft as well as other malicious activities, such as phishing. Please note that SHN will not contact individuals by email requesting payment card details and other sensitive personal information. If you receive an email from an untrusted source or have any questions about suspicious online activities, please contact cybersecurity@shn.ca (officeofthecto@shn.ca).
SHN took multiple steps to contain and remediate the Incident:
- Upon learning of the Incident, we immediately contained the Incident by severing access to the Internet and several third-party networks, while maintaining our highest possible standards of patient care.
- We engaged leading third-party cybersecurity experts to conduct a detailed investigation into what happened and remediate the Incident.
- Our IT team worked to further strengthen existing security controls and conducted around-the-clock monitoring across the SHN environment to ensure this kind of incident does not happen again.
Our investigations have revealed that as of the date of this notice, there have been no signs of unauthorized access or malicious activity since the Incident was discovered and containment activities were commenced.
As a courtesy to all SHN current and former patients, we have retained the assistance of Trans Union of Canada, Inc. (“TransUnion”), one of Canada’s leading consumer reporting agencies.
Through TransUnion, we have arranged a two-year subscription to TransUnion myTrueIdentity, an online monitoring service, at no cost to you. If you choose to register, this credit monitoring service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the myTrueIdentity portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.
We encourage you to take advantage of this service and help protect your identity. To gain access to the service, please contact us at 416-284-8131 ext. 7782. SHN will not have access to any of your credit information if you elect to participate in this program. If you elect to participate, you may activate this two-year service any time prior to September 30, 2022.
Upon completion of the enrollment process, you will have access to the following features:
- Unlimited online access to the TransUnion Credit report, updated daily. A credit report is a snapshot of a consumer’s financial history and primary tool leveraged for determining credit-related identity theft or fraud.
- Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily. A credit score is a three-digit number calculated based on the information contained in a consumer’s credit report at a particular point in time.
- TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file. In today’s virtual world, credit alerts are a powerful tool to protect against identity theft, enable quick action against potentially fraudulent activity, and provide overall confidence to potentially impacted consumers.
- Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
- Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.*
- Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.
* Underwritten by AIG Insurance Company of Canada.
Our priority is the integrity and security of our systems, and the protection of all patient and staff information. Immediately upon discovering the issue, we took multiple actions to contain and remediate the Incident. This includes working with third-party cybersecurity experts, who have thoroughly investigated the Incident to better understand why and how it occurred. Since then, we have implemented additional safeguards to limit the risk of this kind of event happening in the future.
We are asking all SHN team members to please remain on alert when engaging in online activities and do not click suspicious links. SHN will not contact individuals by email requesting payment card details and other sensitive personal information. If you receive an email from an untrusted source or have any questions about suspicious online activities, please contact cybersecurity@shn.ca (officeofthecto@shn.ca).
Our investigation indicates that the Incident may impact data from pre-amalgamation SHN institutions, specifically:
- Scarborough Health Network (SHN) — pre-amalgamation The Scarborough Hospital (TSH), and Rouge Valley Health System (RVHS)
- SHN Birchmount Hospital — previously TSH Birchmount Site or Scarborough Grace Hospital
- SHN General Hospital — previously TSH General Site or Scarborough General Hospital
- SHN Centenary Hospital — previously RVHS Centenary Campus or Scarborough Centenary Hospital
- The previous RVHS Ajax and Pickering Campus or Ajax-Pickering Hospital
Our third-party cybersecurity experts have conducted a full and comprehensive investigation and are continuing to monitor the situation. To date, there is no indication of any malicious use of the data potentially accessed. That said, there is always a possibility that the information involved in this Incident could be subject to misuse in the future.
With respect to the information that is currently on SHN servers, rest assured that we are committed to the safety and privacy of patient and staff data that has been entrusted to us. We have taken multiple actions in collaboration with third-party cybersecurity experts to upgrade and improve the security of our IT systems based on what we have learned from the Incident.
We would like to take this opportunity to remind you to be diligent, as always, with respect to protecting your identity by monitoring your accounts and remaining vigilant for incidents of fraud and identity theft. You should also be mindful of phishing attempts and take care when responding to unsolicited communications (whether electronic or otherwise) that reference or request your personal information or account credentials.
SHN will not contact you by email requesting you to supply or verify sensitive personal information. If you are in doubt or have any concerns about the validity of any emails SHN sends, please contact us as indicated below.
As a precautionary measure, we strongly suggest that you contact your bank, credit card company, and relevant government offices to advise them that you may have been affected by this Incident . We recommend you monitor and verify all your bank accounts, credit card and other financial transaction statements for any suspicious activity.
If you suspect misuse of your personal information, you can obtain a copy of your credit report from a credit reporting bureau to verify the legitimacy of the transactions listed.
- Equifax at 1-800-465-7166 or www.equifax.ca
If you are concerned that you may be a victim of fraud, you may request these bureaus place a fraud alert on your credit files instructing creditors to contact you before opening any new accounts.
If your health card number has been affected by the Incident, you should call ServiceOntario INFOline at 1-866-532-3161 or 1-800-387-5559 to report your lost or stolen health card number. If you suspect misuse of your health card number, you can report suspected cases of fraud by calling the Ministry of Health and Long-Term Care at 1-888-781-5556 or e-mail at reportohipfraud@moh.gov.on.ca.
You may also wish to review this publication from the Information and Privacy Commissioner of Ontario, Identity Theft: A Crime of Opportunity.
If you suspect that someone has stolen your identity, there are several things you need to do:
- Report the incident to the police, especially if it involves stolen identification. Insist on receiving a complaint number.
- The Canadian Anti-Fraud Centre provides valuable information and guidance.
- Report all stolen credit cards to the issuers and request new cards. Follow up with written notification.
- Notify your bank if your cheques were stolen and close your account.
- Be prepared to fill out Affidavits of forgery to establish your innocence for banks, credit grantors and recipients of stolen cheques. Remember, these institutions are joint victims with you and may suffer a financial loss.
- If you believe someone else used your Social Insurance Number, you should contact your local Service Canada Office for advice.
- Get a new bankcard, account number and password. Do not reuse your old password. Never share your password or and Personal Identification Numbers (“PIN”) numbers.
- Notify Canada Post Postal Security if you suspect your mail was stolen.
Contact TransUnion’s Fraud Victim Assistance Department and Equifax Canada. The companies will add fraud alerts to your credit files. TransUnion’s Fraud Victim Assistance Department offers a seven-step program for protecting and assisting all victims of credit fraud.