SW Ontario hospitals hit with $480M lawsuit as stolen patient data likely sold

Published Nov 29, 2023 • 4 minute read

Sarnia’s Bluewater Health was the hardest-hit in a cyberattack that saw large volumes of private patient information stolen. Postmedia News

As hackers claim they’ve sold sensitive personal information about roughly 270,000 southwestern Ontario hospital patients, the agencies targeted in the massive cyberattack now face a $480-million lawsuit.

The class action suit, launched by a patient of Sarnia’s Bluewater Health, claims patients affected by the breach lost their right to privacy, suffered “injury to dignity,” and are enduring “serious and prolonged mental distress,” among other damages.

Advertisement 2

This advertisement has not loaded yet, but your article continues below.

THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY

Subscribe now to read the latest news in your city and across Canada.

Unlimited online access to articles from across Canada with one account.Get exclusive access to the Windsor Star ePaper, an electronic replica of the print edition that you can share, download and comment on.Enjoy insights and behind-the-scenes analysis from our award-winning journalists.Support local journalists and the next generation of journalists.Daily puzzles including the New York Times Crossword.

SUBSCRIBE TO UNLOCK MORE ARTICLES

Subscribe now to read the latest news in your city and across Canada.

Create an account or sign in to continue with your reading experience.

Access articles from across Canada with one account.Share your thoughts and join the conversation in the comments.Enjoy additional articles per month.Get email updates from your favourite authors.

Article content

Lawyer Mireille Dahab with Dahab Law, the Richmond Hill firm handling the class action, said this is a case about “negligence.”

“This is highly sensitive information that has been leaked for many thousands of Ontarians,” Dahab told the Windsor Star. “Now you’ve got people’s personal, very, very sensitive information out on the dark web.

“And who knows how long this will continue to affect their lives and their credit? I think that is really the issue here.

“You’re not just dealing with name and address and phone number. You’re dealing with everything. Health card, your illnesses, your medication, a lot of information that should not be leaked to other people.”

A group called Daixin Team has claimed responsibility for the ransomware attack, first detected Oct. 23, against Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital.

The blackmailers also targeted TransForm Shared Service Organization, which runs supply and technology systems for the hospitals.

The lawsuit, filed Nov. 15 in Sarnia, lists TransForm and all five hospitals as defendants in the pursuit of $480,600,000 in damages.

Advertisement 3

This advertisement has not loaded yet, but your article continues below.

Article content

Sarnia resident Robert Smith, a patient of Bluewater Health throughout his life, is the class action’s named plaintiff.

But court documents state the lawsuit is going ahead on behalf of all Ontario residents who were or are patients of any of the five hospitals. The statement of claim was also filed on behalf of anyone who had their data managed by TransForm and whose personal information was stored on the defendants’ computer systems that were compromised or accessed by the hackers.

“Pretty much all patients that have attended the hospital have been affected because their information is not disposed of,” said Dahab. “So it stays there. We’ll have to clarify once we get the lists from the hospitals and everything of who was actually affected.

“But as far as we know, based on the information that’s been provided so far, it’s anybody that visited these hospitals.”

The organizations have not yet filed any statement of defence, and none of the allegations in the statement of claim have yet been proven in court.

“We are in receipt of a lawsuit related to the cyber attack and, as this is now a legal matter before the courts, we will not be commenting,” the hospitals said in a joint response to the Star’s request for comment.

Advertisement 4

This advertisement has not loaded yet, but your article continues below.

Article content

“Please visit our website for updates on the cyber attack and restoration of services.”

But officials have confirmed the biggest breach was at Sarnia’s Bluewater Health, where more than 5.6 million records pertaining to about 267,000 people was stolen. The hospital said the stolen data included social insurance numbers for about 20,000 patients.

The Star previously reported that the hackers demanded a ransom of about US$8 million to keep the stolen data off the dark web. After the hospitals refused to pay, Daixin started posting the information online.

The hackers now claim they have sold the “full leak” of stolen data.

People should assume that the information was sold

But Brett Callow, a threat analyst with the cybersecurity firm Emsisoft Ltd., said that could be a bluff.

“Organizations are likely more alarmed at the prospect of their customers’ information being sold to other cybercriminals than they are about it being posted on an obscure Tor site (on the dark web),” he said.

“Daixin knows this, and may simply be making the claim in the hope that their future victims will be more likely to pay. That said, hope for the best and plan for the worst.

Advertisement 5

This advertisement has not loaded yet, but your article continues below.

Article content

“People should assume that the information was sold and that the buyer will attempt to misuse it.”

In another post related to a more recent cyberattack against the North Texas Municipal Water District, Daixin even offers suggestions on how stolen data can be misused.

The suggested “variety of crimes” include opening bank accounts, taking out loans, obtaining medical services, getting government benefits, further phishing and hacking “intrusions,” filing fraudulent tax returns, obtaining fake driver’s licences, and “giving false information to police during an arrest.”

In addition to becoming vulnerable to such potential crimes, the lawsuit against TransForm and the hospitals also claims that learning of the breach left patients suffering from “mental injuries arising from their anxiety and distress.”

“The Personal Information which was invaded, including but not limited to Personal Health Information, is highly sensitive and personal, and a reasonable person would consider the invasion to be highly offensive causing anguish, humiliation, and/or distress,” the lawsuit states.

Advertisement 6

This advertisement has not loaded yet, but your article continues below.

Article content