As five southwestern Ontario hospitals grapple with a cyberattack they say has caused delays, some patients and their families say they’ve been left waiting for hours and had procedures cancelled.
Tianna Giesbrecht says she arrived at the Windsor Regional Hospital’s Met campus by ambulance around 5 p.m. Monday for what she suspects is a problem with her appendix. She says she was still waiting by 2 p.m. Tuesday and was later seen that evening.
Speaking to a CBC reporter via Facebook Messenger, Giesbrecht says people waiting with her in the hospital have left without being seen. Staff, she says, are using paper records and seem “frustrated.”
“It’s extremely frustrating knowing that our hospitals aren’t better equipped against this sort of thing,” Giesbrecht said, noting she works in IT.
“Plus it’s scary to think of how many people are in pain and needing help and we just sit here waiting.”
Online services such as patient records and email have been down since Monday morning at the five hospitals — Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and the Chatham-Kent Health Alliance.
The five impacted hospitals are not providing comment on Tuesday.
The hospitals released a statement Monday night saying that they would be contacting those with care scheduled in the coming days to reschedule or provide other arrangements.
“Also, we would continue to ask if you are not needing emergency care to attend your primary care provider or local clinic to reduce the impact upon the hospitals as we work towards addressing these issues and focus on those needing hospital care,” the hospitals said in a joint statement
“Unfortunately, we may not be able to reach all patients, and we request your understanding if we are required to reschedule care in person at our facilities,” the statement said.
The systems affected are provided by TransForm, a non-profit founded by the hospitals to run IT, supply chain and accounts, according to the organization’s website.
The company confirmed Monday night its hospitals are experiencing a cyberattack. TransForm said its investigating the “cause and scope of incident, including whether any patient information was affected.”
It also says it is working from a back-up system but it can take time to access documents.
Karen Churcher says her husband, Barry Cox, is currently at Bluewater Health in Sarnia. He’s been in the hospital for two weeks awaiting a cardioversion — a procedure that helps restore normal heart rhythms to abnormally beating hearts — that was cancelled Tuesday morning.
“Unfortunately, it was cancelled at the very last minute and it’s uncertain when this procedure will be rebooked,” Churcher said. “Unfortunately he is stuck in the hospital until such time that the procedure can happen.
“We’re both feeling very frustrated, that’s all he wants to do is come home and be in his own bed to recuperate from his illness.”
While her husband is in stable condition, Churcher says he can’t leave the hospital without the procedure. And she says she worries he’s taking up a bed that could be used by another patient.
Churcher says there’s no indication yet when her husband may get his procedure done. But in the meantime, she says he’s feeling discouraged.
“I do know that the hospital’s trying to do all they can to keep business running as usual as possible,” said Churcher, who described the atmosphere at Bluewater Health as “all hands on deck,” with staff working very hard.
“Unfortunately, we rely so heavily on technology that when we lose the technology that we rely on, it creates a disruption in the system and it puts patients at risk.”
Company won’t say which police agency is investigating cyberattack
Michelle Watters, director of stakeholder relations for TransForm, told CBC News Tuesday morning police are investigating, but would not say which police department is working on the case.
Neither the RCMP nor Chatham-Kent or Sarnia police are involved in the investigation, spokespeople confirmed.
Windsor police and OPP have not returned a request for comment Tuesday afternoon.
Privacy commissioner not yet notified of cyberattack
In a statement to CBC News, the office of Ontario’s information and privacy commissioner says caretakers of health-care information are required to report certain types of data breaches to the privacy commissioner.
“Our office has not been notified of this incident and will be following up with the affected hospitals. At this time, we have not received any complaints from the public regarding this matter,” the statement says.
TransForm said in its statement Monday night it was still investigating whether patient information was affected.
The commissioner’s office says cyberattacks are “an increasing threat” to personal information, and says organizations should be planning for cyberattacks, including increasing staff awareness and investing in education and industry best practices.
“Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals, and ultimately undermine trust in the health-care system.”
Hospitals common targets for cyber criminals: expert
Daniel Tsai is a technology expert and lecturer at the University of Toronto.
He says hospitals and other public institutions are common targets for bad actors because of the kinds of information they hold.
“They treat that as an opportunity to ransom as much money as they can out of these hospitals,” he said
While he doesn’t know the specifics, Tsai said from his expertise the attack was likely serious if it prompted the IT provider to take their systems offline, which the company said it did Monday morning.
Tsai said there are different types of cyberattacks, and we don’t yet know which has occurred here. But ultimately the schemes have the same goal, he says.
“It usually involves some form of extortion where hackers control the sensitive data and prevent access to it, which results in a major threat,” Tsai said.
And while there will be an investigation, getting the culprit could be challenging, especially depending on where the attack came from: Russia, North Korea and China are countries where cyber crime is more common.
“Countries like that, good luck trying to get justice and having your police and your court system recognized abroad,” he said. “I think that’s going to be a big problem.”
Getting the hospitals’ systems back online will take a few steps, including assessing how badly the network was hacked and any remediation steps — all of that meaning it could be a while yet before the attack is resolved.
“Now that we’ve had this hack occur, this can act as a lesson for other hospitals and for this group of institutions to make sure this doesn’t happen again,” he said.
“Sometimes failure is the best lesson in terms of learning from your mistakes.”