powered by:
valneva canada inc.
sw ontario hospitals hit with $480m lawsuit as stolen patient data likely sold
as hackers claim they’ve sold sensitive personal inform...
nov 29 2023
4 minute read
sarnia's bluewater health was the hardest-hit in a cyberattack that saw large volumes of private patient information stolen.
postmedia news
as hackers claim they’ve sold sensitive personal information about roughly 270,000 southwestern ontario hospital patients, the agencies targeted in the massive cyberattack now face a $480-million lawsuit.
the class action suit, launched by a patient of sarnia’s bluewater health, claims patients affected by the breach lost their right to privacy, suffered “injury to dignity,” and are enduring “serious and prolonged mental distress,” among other damages.
lawyer mireille dahab with dahab law, the richmond hill firm handling the class action, said this is a case about “negligence.”
“this is highly sensitive information that has been leaked for many thousands of ontarians,” dahab told the windsor star. “now you’ve got people’s personal, very, very sensitive information out on the dark web.
“and who knows how long this will continue to affect their lives and their credit? i think that is really the issue here.
“you’re not just dealing with name and address and phone number. you’re dealing with everything. health card, your illnesses, your medication, a lot of information that should not be leaked to other people.”
a group called daixin team has claimed responsibility for the ransomware attack, first detected oct. 23, against bluewater health, chatham-kent health alliance, erie shores healthcare, hôtel-dieu grace healthcare, and windsor regional hospital.
advertisement
advertisement
the blackmailers also targeted transform shared service organization, which runs supply and technology systems for the hospitals.
the lawsuit, filed nov. 15 in sarnia, lists transform and all five hospitals as defendants in the pursuit of $480,600,000 in damages.
sarnia resident robert smith, a patient of bluewater health throughout his life, is the class action’s named plaintiff.
but court documents state the lawsuit is going ahead on behalf of all ontario residents who were or are patients of any of the five hospitals. the statement of claim was also filed on behalf of anyone who had their data managed by transform and whose personal information was stored on the defendants’ computer systems that were compromised or accessed by the hackers.
“pretty much all patients that have attended the hospital have been affected because their information is not disposed of,” said dahab. “so it stays there. we’ll have to clarify once we get the lists from the hospitals and everything of who was actually affected.
“but as far as we know, based on the information that’s been provided so far, it’s anybody that visited these hospitals.”
the organizations have not yet filed any statement of defence, and none of the allegations in the statement of claim have yet been proven in court.
advertisement
advertisement
“we are in receipt of a lawsuit related to the cyber attack and, as this is now a legal matter before the courts, we will not be commenting,” the hospitals said in a joint response to the star’s request for comment.
“please visit our website for updates on the cyber attack and restoration of services.”
but officials have confirmed the biggest breach was at sarnia’s bluewater health, where more than 5.6 million records pertaining to about 267,000 people was stolen. the hospital said the stolen data included social insurance numbers for about 20,000 patients.
the star previously reported that the hackers demanded a ransom of about us$8 million to keep the stolen data off the dark web. after the hospitals refused to pay, daixin started posting the information online.
the hackers now claim they have sold the “full leak” of stolen data.
but brett callow, a threat analyst with the cybersecurity firm emsisoft ltd., said that could be a bluff.
“organizations are likely more alarmed at the prospect of their customers’ information being sold to other cybercriminals than they are about it being posted on an obscure tor site (on the dark web),” he said.
advertisement
advertisement
“daixin knows this, and may simply be making the claim in the hope that their future victims will be more likely to pay. that said, hope for the best and plan for the worst.
“people should assume that the information was sold and that the buyer will attempt to misuse it.”
in another post related to a more recent cyberattack against the north texas municipal water district, daixin even offers suggestions on how stolen data can be misused.
the suggested “variety of crimes” include opening bank accounts, taking out loans, obtaining medical services, getting government benefits, further phishing and hacking “intrusions,” filing fraudulent tax returns, obtaining fake driver’s licences, and “giving false information to police during an arrest.”
in addition to becoming vulnerable to such potential crimes, the lawsuit against transform and the hospitals also claims that learning of the breach left patients suffering from “mental injuries arising from their anxiety and distress.”
“the personal information which was invaded, including but not limited to personal health information, is highly sensitive and personal, and a reasonable person would consider the invasion to be highly offensive causing anguish, humiliation, and/or distress,” the lawsuit states.
the statement of claim alleges the patient files and information the hospitals had stored in their systems “were not protected adequately, and/or were vulnerable to cyber attacks or unauthorized access.”
advertisement
advertisement
“the standard of care the defendants were required to meet with respect to the collection and storage of personal information is heightened given the highly sensitive nature of the personal information that the defendants were entrusted with.
“the required standard is informed by, but not limited to, industry practice, the common law, and privacy legislation.”
share story
