Ottawa hospital’s patient data stolen from test server of communications supplier

Personal health information of Canadians stored on the test computer of a third-party supplier to an Ottawa hospital has been stolen in a data breach.

Queensway Carleton Hospital said on Saturday the breach of security controls occurred in March at Aetonix Systems Inc., an Ottawa software company that makes the aTouchAway hospital-patient cloud-based communication. The hospital has been using the platform since 2021.

According to the Ottawa Citizen, data on about 100,000 patients was involved.

Patient data that may have been copied includes patient name, gender, date of birth, marital status, mother tongue, home address and postal code, phone number, email address, OHIP number and version, insurance policy number, health care providers, patient ID numbers, patient visit ID (Account/Encounter number), scheduled surgical appointments, past medical history, and procedure description.

The hospital stressed that its electronic medical record and patient portal were not impacted. No credit card, financial, or banking information was included. If people visited a COVID-19 vaccine clinic that was affiliated with QCH, their data was only uploaded to  provincial Ministry of Health servers and was not affected by this incident, the hospital added.

In a statement, Aetonix said it learned there had been a breach of security controls on March 13th. It was on a test environment where personal information “had temporarily and improperly been stored.”

“We believe that all data uploaded to our aTouchAway platform by Canada-based healthcare providers, patients and/or their caregivers prior to and including February 23, 2023, which was subsequently copied into the test environment, may have been compromised.

“This incident was a result of data being present in a location where it should not have been stored, and which should not have been accessible via the public web.”

UPDATE: IT World Canada emailed Aetonix asking to interview a senior official for more details. In reply, a company spokesperson said it has nothing to say beyond its media statement

Queensway Carleton has stopped using the Aetonix platform as a result of the incident while it conducts further evaluations “and are confident in the best tools to move forward.”

“We use the Aetonix platform for virtual communication services, care pathways and remote patient monitoring, as well as a host of other tools to support patients,” the hospital’s statement said. “Information for these interactions is sent from a QCH dataset to the Aetonix cloud server. Additionally, some patient registration information from the period between March 2021 and March 2023 was sent to Aetonix for integration purposes.”

“In compliance with provincial requirements, we have notified the Information and Privacy Commissioner of Ontario and we are in the process of notifying all our affected patients,” the hospital said.

“Although the incident was caused by a third-party vendor, we are using the incident as an opportunity to refresh our joint cybersecurity and incident response policies and procedures,” it added. “We have safeguards in place and have taken further steps to limit the risk of this kind of event happening in the future.”

In explaining why it has taken weeks to notify affected individuals, the hospital said it  worked to contain the incident, understand its scope, and retain support to respond to it. “Given the complexity of the incident and the involvement of the third party, we needed to take the time to fully understand the facts and appropriate remedies.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs