CBC reporters have verified health record files provided by hackers who say they acquired them by breaking into the computers of CarePartners, a company that contracts with the Ontario government.
The records date back to 2010, and include detailed health information, tax forms, credit-card numbers, and biographical information. The hackers claim to have "tens of thousands" of these records (the CBC has seen 80,000 records; Carepartners says it may be as many as 237,000 records). They say that they informed CarePartners about the defects in its security and provided detailed instructions for fixing them, and that they expect to get paid for this service.
The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners' network that had not been updated in two years "by chance," and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes "completely unnoticed."
"This data breach affects hundreds of thousands of Canadians and was completely avoidable," the group told CBC News. "None of the data we have was encrypted."
While Ontario's privacy commissioner requires that personal health information be encrypted when stored on mobile devices, there is presently no similar requirement for desktop computers or servers.
Thousands of patient records held for ransom in Ontario home care data breach, attackers claim [Matthew Braga, Lori Ward and Andrew Culbert/CBC]
(Image: Bill Ward, CC-BY)