Arnprior hospital patients dating back 26 years impacted by cybersecurity incident

ARNPRIOR – Anyone who visited the Arnprior hospital in the last 26 years may have had their health information compromised in a December 2021 cybersecurity incident at Arnprior Regional Health (ARH).

Last January, West Carleton Online broke the news ARH was the victim of a cyber attack on Dec. 21, 2021. At the time, all hospital staff knew was the incident did not impact service delivery.

As its information technology experts continued to investigate the incident, ARH staff are now learning patients dating back 26 years may have had their data accessed by the cyberthieves.

Last April the Arnprior and District Family Health Team (ADFHT) confirmed some of their data was compromised through the attack.

“While it was initially believed ADFHT’s information was not affected by the breach, we were notified on April 1, ongoing investigations revealed some ADFHT data had, in fact, been compromised,” ADFHT staff said at the time. “Given the implications of this new information, the ADFHT is continuing to work closely with ARH, their cyber experts, and all relevant authorities to determine the full extent of the exposure. While the investigation of this incident is ongoing, ADFHT has concluded the personal health information in its electronic medical record was not compromised.”

Today (May 19), ARH staff confirmed the extent of the data breach that dates back to files from 1996.

“It is important to note that the Electronic Health Record system was not impacted, and we experienced no disruption to the delivery of healthcare or other services we provide,” ARH President and CEO Leah Levesque released in a statement today (May 19). “There is no evidence of further misuse of the data, and we have received assurance that the data has been deleted. Upon discovering the incident, we retained cyber forensic experts to conduct a comprehensive investigation.”

ARH now says patients between April 1996 and 2010 may have had their data stolen.

“Your data, including name, date of birth, contact information, demographic data, and health card number may have been accessed,” Levesque said.

Those who visited the emergency room between 2009 and 2021 may have had their data and diagnosis stolen through the ER Patient Satisfaction Information portal.

“Your data has not been impacted if you visited the emergency room during these dates for any of the following: any deaths, suicidal thoughts, miscarriage, abortion, grieving, morning after pill/contraception, bizarre behavior, substance overdose, vital signs absent, homeless, sexual assault, domestic assault, physical assault, altered level of consciousness, or palliative care,” Levesque said.

Patients who received COVID-19 vaccinations in Arnprior are also affected.

Those who booked COVID-19 testing through one of Renfrew County’s mass swabbing centres between Nov. 2, 2020 and Sept. 29, 2021 may have also had data stolen.

If you received a COVID vaccination at one of Renfrew County’s mass vaccination clinics between March 2021 and May 2021, you were impacted.

If you worked at ARH between September 2021 and December 2021, your vaccination status may have been accessed.

If you were admitted to ARH as an in-patient (i.e. overnight) between April 2009 and March 2017.

If you had a colonoscopy performed at ARH between March 2017 and August 2021 you may have been impacted.

“As part of its investigation, ARH also determined that certain records belonging to the ADFHTwere impacted,” Levesque said. “If you were on a physician waitlist with the Family Health Team from 2010-2022, you were impacted.”

You were impacted if you were a patient of Dr. McBride in August 2007 or March 2011, of Dr. Robson in June 2017, and of Dr. Villis or Dr. Kiskis in July of 2018, or of the Arnprior Medical Group generally in July 2020.

If you were contacted by the Flu Shot clinic in 2017 or 2019-2020, you were impacted.

The ARH says if your personal information was impacted other than in the categories above, then you will receive an individual notification.

“This matter is of the utmost concern to ARH and is being treated as our highest priority,” Leveque said. “We apologize for the inconvenience this unfortunate incident may cause you. Going forward, we are taking a number of additional measures to strengthen our systems. Working in collaboration with our internal IT team and external IT experts, we are continuing to invest in leading edge technologies to protect our systems and data from ever-growing cybersecurity threats.”

ARH working in conjunction with the ADFHT has set up a dedicated call centre for this incident to answer any questions you might have: 1-833-806-1882.

The Information and Privacy Commissioner of Ontario (IPC) has been notified of the breach. To file a complaint, please visit: https://www.ipc.on.ca/resources/forms/.