UPDATE: NOVEMBER 8, 2023
It has been a very challenging few weeks for public sector organizations in Ontario experiencing cybersecurity incidents, including hospitals, healthcare centres and libraries. It is unfortunate that these incidents are becoming increasingly common, especially when they impact organizations that are dedicated to serving the health and well-being of our communities.
At Michael Garron Hospital (MGH), we recently suffered a data security incident perpetrated by a cyber threat actor group. We did not pay a ransom and we are aware that data connected to the incident may be published. Having received the advice and counsel of leading third-party experts, we determined we would not yield to ransom demands. Our programs and patient care services continue to operate normally and MGH remains a safe place to receive care.
We have determined that some personal data belonging to MGH employees and credentialed clinicians employed from January 2015 to November 2023 was stolen. At this time, we can confirm this data includes home addresses, social insurance numbers, bank account numbers (employees on direct deposit) and earnings information for affected employees and home addresses, social insurance numbers and earnings information for affected credentialed clinicians.
Given the nature of the information exposed, we will be providing all affected MGH employees and credentialed clinicians with a free, two-year credit monitoring service – a service that allows one to check for signs of identity fraud so protective action can be taken. This protective service is of significant benefit, and we encourage recipients to take advantage of it. All current employees and credentialed clinicians will receive information on how to enroll in this credit monitoring service by email this week.
Former eligible employees and credentialed clinicians will receive information by mail. If you were employed by MGH between January 2015 and November 2023, and have not received information by mail by December 8, 2023, please email @email.
We know that some patients and donors are also affected by the incident, though it will take us time to analyze data to determine who is affected and how. We will continue to be transparent and will notify those affected as appropriate. We encourage you to read our Frequently Asked Questions page to learn more.
We appreciate that this news is concerning and we apologize. We want to express our sincere thanks to all those involved in responding to this incident, including our healthcare teams, partners, government agencies and law enforcement services. We also want to thank our patients, community members, staff, credentialed clinicians and donors for their patience and support as our investigation continues.
UPDATE: November 3, 2023
On October 23, 2023, Michael Garron Hospital (MGH) was made aware of a data security incident. We immediately engaged third-party experts to investigate and assess the impact, while planning and implementing additional proactive measures to safeguard our data and information systems.
Based on the ongoing investigation, we have determined that some patient, staff, credentialed clinician and donor data has been exposed. At this time, there is no indication that our patient health information database was compromised or that this incident is related to the cyberattack recently experienced by other hospitals in southwestern Ontario.
We continue to work with third-party experts to assess the extent of the exposure and individuals impacted. We will notify individuals whose data is affected by this incident in accordance with the law.
Out of an abundance of caution, we will be providing staff and credentialed clinicians at MGH with a free credit monitoring service for a period of two years – a service that allows one to check for signs of identity fraud so protective action can be taken.
We are working closely with government agencies and law enforcement and we have reported the incident to the Ontario Information and Privacy Commissioner.
The health and safety of our community is our top priority. Our programs and patient care services continue to operate normally and MGH remains a safe place to receive care. We understand you may have questions about this data security incident and encourage you to read our Frequently Asked Questions page to learn more.
We anticipate the investigation will take some time to complete. We appreciate your patience and support as our investigation continues and are committed to providing updates as we learn more.
Update: November 1, 2023
On Thursday, October 26, Michael Garron Hospital (MGH) proactively initiated a Code Grey to facilitate a swift and coordinated response to the data security incident and ensure minimal disruption to hospital and broader health system operations. This response to the incident enabled the hospital to effectively prepare downtime procedures in the event of a large-scale information technology (IT) system failure.
MGH’s programs and patient care services are operating normally, with no impacts to our information and clinical application systems. Therefore, we are declaring the Code Grey All Clear.
While we are transitioning out of the Code Grey, the investigation into the impact of the security incident continues, including assessing whether data has been exposed. We will provide more updates as we learn more.
Update: October 30, 2023
On Thursday, October 26, Michael Garron Hospital (MGH) initiated a Code Grey to facilitate a swift and coordinated response to the incident and ensure minimal disruption to hospital and broader health system operations.
During the weekend, we continued to work together with a team of third-party experts across the sector to investigate and assess the impact of the incident. The investigation is progressing well and our programs and patient care services are operating normally.
We have no indication that this data security incident is related to the cyberattack recently experienced by other hospitals in Southwestern Ontario.
We are grateful to our partners for their ongoing support and will provide more updates as we learn more.
Update: October 26, 2023
Earlier this week, Michael Garron Hospital (MGH) was made aware of a data security incident. We are actively investigating and assessing the impact of the incident with the support of third-party experts.
At this time, there are no known impacts to clinical applications or patient care services.
We have initiated a Code Grey to facilitate the coordination of resources and business continuity. We have also notified our partners.
Out of an abundance of caution, our teams are in the process of planning and implementing additional proactive measures to safeguard our data and information systems while the investigation is underway.
We will provide more updates as we learn more.