In a bizarre and developing story, as many as 80,000 patients in Canada may have had detailed medical, financial and personal records stolen by a hacker group after it infiltrated the computer systems of home care services provider CarePartners.
Ontario-based CarePartners, which has provided government-sponsored personal, rehabilitation and nursing care services to hundreds of thousands of patients over the years, announced the breach in June. At the time, the home care provider and cyberattack victim claimed “sophisticated actors” had “inappropriately” gained access to and held information pertaining to the personal health and finances of its patients and employees.
To determine the full extent of the breach, CarePartners announced it had retained the services of cybersecurity firm Herjavec Group.
Now, about a month after the initial cyberattack, CBC News is uncovering additional details—with the help of the hackers.
According to a CBC News report, a group claiming responsibility for the breach reached out to the news outlet and provided a sample of the data it had allegedly accessed.
The sampled data reportedly included thousands of patient medical records with phone numbers, addresses, dates of birth and health care numbers. The data included extensive medical histories, CBC News reported, complete with information on conditions, diagnoses, surgical procedures, care plans and medications prescribed.
The sampled data also reportedly shows that more than 140 active patient credit card numbers, expiration dates and security codes had been stolen.
Overall, the data appears to contain names and contact information for more than 80,000 patients in total, according to CBC News, though the hacker group says the breach was actually far larger in scope.
“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group told CBC News. “None of the data we have was encrypted.”
The news outlet contacted 10 patients whose records were included in the provided sample and confirmed that they had been patients of CarePartners. All 10 patients said they had not been directly notified by the home care provider and were unaware there had even been a breach.
“We are concerned that the cyber-attackers may be using the CBC to further their own extortion agenda,” CarePartners said in a statement published by CBC News in its report. “It is a common strategy of cyber-attackers to contact media in an effort to embarrass and shame their victims.”
Besides stealing patient data, the hacker group says it is holding the stolen information for ransom.
“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” it said.
The cyberattack is being investigated by the Office of the Information and Privacy Commissioner of Ontario.
The CarePartners hack is not the first time in-home care providers have had their networks compromised.
In 2015, Amedisys, Inc. (Nasdaq: AMED) notified state and federal agencies—as well as 6,909 individuals—that personal information was possibly subject to a data breach. The incident was linked to missing encrypted computers and laptops belonging to former employees.
Cybersecurity attacks and health plans
U.S. health plans have reported 24 breaches so far in 2018, compared to 15 during the same period in 2017, representing a 60% increase in the number of entities impacted, according to Fortified Health Security’s 2018 Mid-Year Report.
The total number of patients impacted by those breaches increased by more than 1,000%. Of the health plans impacted by a breach thus far in 2018, 38% were either state or city-affiliated health plans.
The 24 identified breaches have affected more than 884,000 individuals.
Fortified Health is a Tennessee-based cybersecurity firm.
Written by Robert Holly