HomeLatest UpdatesPersonal, pregnancy details of Midwives of Windsor patients breached

Personal, pregnancy details of Midwives of Windsor patients breached

A data breach involving email has exposed the personal and pregnancy information of an unknown number of clients of the Midwives of Windsor, CBC News has learned. 

The breach was reported to Ontario’s Information and Privacy Commissioner months before it was disclosed to clients of the practice. 

Nancy Lefebvre is a resident of the Lakeshore area. She used midwifery services in 2020 and told CBC News that she was taken aback by the news, which she received via email.

“I was definitely surprised,” Lefebvre said. “You go to a midwife for that higher degree of intimacy and not wanting to be part of like a big corporation … where you don’t think that’s something that would happen.”

“It is also concerning because in that span of time a lot can be done with that information and it would have been nice to know sooner.”

You don’t think that’s something that would happen– Nancy Lefebvre

According to a letter emailed to some clients, the practice says it experienced an “email account compromise in April 2023 during which unauthorized individuals accessed one of our email accounts.”

“Upon learning of the incident, we acted immediately to secure the email account and retain third-party experts to assist us in our investigation.”

“As a result of the compromise, we believe your name, mailing address, email address, telephone number, date of birth, information regarding your pregnancy, treatment/diagnosis information, prescription information, patient ID and health insurance information were exposed. Your child’s name and date of birth may have also been exposed,” the practice said in a letter to one patient. 

The practice says while it is not aware of any misuse of the information, patients are asked to be alert to “suspicious communications that could be linked to this incident.”

It was not clear the number of clients affected or whether current, as well as former clients were impacted, given the breach occurred more than eight months ago. 

Reporting the incident

Midwives of Windsor says the breach has been reported to the Information and Privacy Commissioner of Ontario and law enforcement. 

The office of the Information and Privacy Commissioner of Ontario said to CBC News in a statement the breach was reported on Nov. 3. 

“Our investigation into this matter is ongoing and we are not able to share any additional details at this time,” the commissioner said in a statement. 

“When we investigate a privacy breach, we look to establish whether the breach has been contained, the appropriate people have been notified, and whether corrective action has been taken to address the underlying causes of the breach and prevent future breaches,” the office of the commissioner said. “Our office can issue orders to compel the health information custodian to undertake these corrective measures.”

Patients can file a complaint with the IPC within 12 months of becoming aware of a breach of the Personal Health Information Protection Act (PHIPA). 

A closeup shows an adult's hand holding the hand of a newborn.
The breach has exposed an unknown number of patients’ data. (Sokor Space/Shutterstock)

When reached by CBC News, Midwives of Windsor owner Crystal Hall referred all questions to the practice’s lawyer and an email address at the practice. But the lawyer named could not be found or contacted by CBC.

Months without knowing

While an unknown number of clients may be shocked to find out their information has been compromised, situations like this are not exceptional. 

According to Dave Shipley of Beauceron Security, a cybersecurity firm, the timeline on breaches of this nature are common. 

“In many cases, organizations don’t know for months that they’ve been the victim of a cyberattack,” Shipley said. “In fact, the average breach is discovered about 200 days after it first happens and this can often happen because cybercrimes have become fairly sophisticated.”

“There are an entire group of criminals whose job it is to be the break-and-enter specialists.”

It does make me sad for my three-year-old– Nancy Lefebvre

While the number of clients affected remains unclear, it is also unclear, according to Shipley, whether the breached information has been used in an improper manner. 

“Really the question is, ‘Can you conclusively prove that nothing bad has happened this information?’ And they can’t,” Shipley pointed out. “They lost custody of the information [and] the fact that nothing bad has yet happened is absolutely meaningless.”

“The health-care system in Canada has never had a bigger target on its back.”

Belle River resident Lara Kane, another client affected by the breach, has questions about what could happen to her data, but says she understands how common these types of situations have become.

“They’re the victim in this and you know … I had nothing but great things to say about them and their practice,” she said.

Lefebvre, who also praised the service she received from Midwives of Windsor, said the data breach has made her reflect on the digital world her child will grow up in. 

“It does make me sad for my three-year-old,” Lefebvre said. “She’s just little and she’s already been exposed to this type of crime.”

Source link


Most Popular

Recent Comments