Arnprior Regional Health says it has been the target of a cyber attack that has breached data dating back to decades ago.
The hospital network confirmed the news via an announcement on its website on Thursday, May 19, adding that it had become aware of the attack on its information technology (IT) system on December 21.
“This matter is of the utmost concern to Arnprior Regional Health and is being treated as our highest priority. We apologize for the inconvenience this unfortunate incident may cause you,” Leah Levesque, president and chief executive officer of the hospital said in a statement. “Going forward, we are taking a number of additional measures to strengthen our systems. Working in collaboration with our internal IT team and external IT experts, we are continuing to invest in leading edge technologies to protect our systems and data from ever-growing cyber security threats.”
Names, contact information, dates of birth, health card numbers, recent visits to the hospital and diagnosis have been among the information compromised in the breach.
The health records system, however, was not impacted.
Despite the breach, there is no disruption to the delivery of healthcare or other services the hospital provides.
At this time, there is no further misuse of the data, and the hospital has received assurance that the data has been deleted.
Following an investigation, the health system found the following categories of patients were impacted:
- Past patients who visited between April 1996 and January 2010;
- ER patient satisfaction information from those who visited the hospital during March 2009 and February 2010;
- ER patients satisfaction information from those who visited the hospitals between July 2016 and November 2021 (excluding March 16 to 31, 2017);
- In-patient satisfactory information from those who visited the hospital during April 2009 to February 2010 (excluding July 2009 and October 2009) March 2014 or July 2016 to November 2021 (excluding March 16 to 31, 2017);
- Colonoscopy patients who were at the hospital during March 2017 and August 2021 (excluding August 2017, October 2017, December 2017, June 2018, July 2018, February 2019, April 2021 and May 2021);
- Patients who booked a COVID test through one of Renfrew Country’s mass swabbing centres during November 2020 to September 29, 2021;
- Patients who received a COVID vaccination at one of Renfrew Country’s mass vaccination clinics between March 2021 and May 2021;
- Employee vaccination status of anyone who worked between September 2021 to December 2021;
- Anyone on a physician waitlist with the Family Health Team from 2010 to 2022 were also impacted;
- Anyone on a waitlist for Dr. McBride in August 2007 or March 2011; Dr. Robson in June 2017; and Dr. Villis or Dr. Kiskis in July 2018, or of the Arnprior Medical Group generally in July 2020;
- Anyone who contacted the flu shot clinic in 2017 or 2019 to 2020.
However, if someone has visited the emergency room during the above dates due to death, suicidal thoughts, miscarriage, abortion, grieving, morning after pill/contraception, bizarre behaviour, substance overdose, vital signs absent, homelessness, sexual assault, domestic assault, physical assault, altered level of consciousness or palliative care, then their data has not been impacted.
If personal information was impacted other than in the categories above, then a notice will be given out to individuals.
Arnprior Regional Health is working in conjunction with the Arnprior District Family Health Team and has set up a dedicated call centre for this incident to answer any questions patients may have.
The centre can be reached at 1-833-806-1882.
The Information and Privacy Commissioner of Ontario has also been notified of the breach.