The Decibel - What happens when a group of hospitals get hacked
Episode Date: January 22, 2024On Oct. 23, 2023, five hospitals in southwestern Ontario realized they were under attack. A cybercrime group was hacking them in order to hold patient and employee information hostage. The hack result...ed in all of the hospitals shutting down their systems, causing massive delays in care, backlogging tests and requiring some patients to travel for care.Karen Howlett, an investigative reporter at The Globe, has been looking into how hackers were able to get into the hospitals’ shared IT system and steal over 250,000 patient records.Questions? Comments? Ideas? E-mail us at thedecibel@globeandmail.com
Transcript
Discussion (0)
Sheila Thomas is 63. She's a retired chef.
And unfortunately, she was diagnosed with breast cancer earlier last year.
Karen Howlett is an investigative reporter at The Globe.
She's talking about a woman who was at Blue Water Health in Sarnia, Ontario on October 23rd.
She was at the cancer clinic at the hospital. She's waiting in the
reception area to see her oncologist so she can get the results of a CT scan. And then suddenly
an announcement comes over saying there's an emergency. And then seconds later, there's an
order, shut down all computers. And then Sheila hears the receptionist say, we've been hacked.
Sheila was witnessing a massive cyber attack affecting all five hospitals in the Windsor, Sarnia and Chatham-Kent regions of southwestern Ontario.
The hospital immediately declared what they call a code gray, meaning everything's taken offline.
That means there was no email, there was no access to any of the patient medical records,
there was no ability, therefore, for the oncologist to click on the computer and look at the results
of her CT scan. This meant that Sheila had no idea and no way of knowing if her mastectomy had been successful.
These hospitals were hit with a ransomware attack, where hackers steal data and block access to it while demanding a ransom.
And as bad as that is, the consequences of that hack are still playing out nearly four months later, with devastating results for patients.
Today, Karen's here to explain what happened, how it happened, and how hundreds of thousands of people are caught in the mess.
I'm Mainika Raman-Wilms, and this is The Decibel from The Globe and Mail.
Karen, thank you for being here today.
You're welcome.
So, Karen, we're speaking on Friday,
and we're talking about this hospital hack.
There were five hospitals in southwestern Ontario that were attacked this fall.
Windsor Regional Hospital, Sarnia's Blue Water Health,
Chatham-Kent Health Alliance, Erie Shores Healthcare, and Hotel de Grasse Healthcare.
Karen, what exactly was stolen from them?
So Blue Water Health was the hardest hit.
The hackers basically scooped up medical records on every single patient that has visited that hospital going back three decades, going back to 1992.
So they got records on 267,000 patients, their names, their dates of birth, their addresses, the reason why they were in the hospital.
Wow.
There were about another 20,000 patients that had their SIN numbers stolen.
Karen, why would hackers want people's medical files?
So on the dark web, that little illicit corner of the internet, that kind of personal information
is much more valuable than, say, stealing somebody's credit card number, because that
is enough information that you can use to steal somebody's credit card number, because that is enough information that you can use to
steal somebody's identity. Okay. So yeah, so patient info was taken from that hospital.
What about the other four hospitals? Now, officially, the hospitals aren't
releasing a lot of details. But what I've been told more unofficially from some of my sources
is that it's like when they went
into Blue Water, it's like the lights were on and they could see everything and they
grabbed every file.
And then when they migrated over to the other hospitals, they could not get into their patient
medical records.
They were blocked from doing that.
But what they were able to get is some other information on what are called shared files.
So at Windsor Regional, for instance, it uses a shared file so that doctors and nurses can, you know, click on the computer and say, oh, what room is patient X in and why is patient X here?
So the hackers were, it's an alphabetical system.
They were partway through the letter A,
and then Windsor Regional's alarm went off,
signaling that they were under attack.
So they also declared a code gray and shut everything down.
At the other three hospitals,
the hackers got some information on names of employees,
and in some cases their social insurance numbers.
But again, none of the medical records.
Okay.
But still, it sounds like a lot of people here had information compromised in this situation.
Is it common for hospitals to be a target for hackers?
Is this something we see?
Unfortunately, it's becoming increasingly common. The Canadian Medical Association Journal, in fact, published a report on cyber attacks in healthcare institutions
just in November. And they said that of all the cyber attacks in Canada in 2019,
half of them were in healthcare institutions. Unfortunately, hospitals are not
devoting enough resources to strengthening, protect their vital information online.
It's expensive to do that. It's very expensive to upgrade. And hospitals, we know, they don't
exactly have a lot of extra cash hanging around. And that makes them more
vulnerable. And plus, the information is so valuable. So that's what was stolen during the
hack. What was happening at these hospitals, though, as a result of this ransomware attack?
So, I mean, the hospitals, the day of the attack, they put out something saying, you know,
we had an IT situation. And then a couple
of days later, they acknowledged it was a cyber attack. A few days after that, they said it was
a ransomware attack. In other words, the hackers were demanding money to get their information
unencrypted. And the hospitals are refused to pay that, as have other hospitals in Canada that have
been hacked. What about the services at the hospital? As a result of all of this happening,
like what were happening to the patients that needed care? So code gray means everything,
all the IT systems are shut down. So basically, the hospitals reverted to like it was like 1980,
1990. That meant doctors and nurses were, you know, writing down patient information
in pen and ink. So they were basically operating in the dark a lot. They had to like recreate
medical records, like if a patient came in, so like, who are you? What's your background? Tell
us about yourself. Like they had no access to any of that. If somebody took an x-ray of somebody, say somebody
with a bone fracture, and then you wanted a surgeon, you know, to look at that, well, that
surgeon would physically have to leave wherever he or she was working and walk over to the room
and look at the screen. This sounds like this is causing massive delays, it sounds like, in care.
Yes.
And at Windsor Regional, for instance, it already had the longest wait times in emergency in Ontario.
And that's really because there's a shortage of primary care doctors in Windsor. They were just getting that situation under control and making improvements only to have everything set back by the attack.
So you can imagine like the backlog of people who need various tests.
It just grew and grew and grew.
I mean, do we have any numbers when you're talking about the backlog and the wait times?
Do we know what that's actually looking like? So at Blue Water Health, as of mid-December,
the backlog for like CT scans, mammograms, you know, other radiology tests, it was 5,200.
As of this week, it has grown to 8,000. As a result, like, can they treat everybody? Do they have to spread patients around? What happens there? Initially, a lot of the attention was on Windsor Regional because it's the biggest.
It's like it's the major acute care hospital for, you know, the city of Windsor.
It had to divert a lot of like cancer patients to other hospitals.
So it was like sending some to health care clinics in Detroit, some to London, and some as far away
as Toronto. On a good day, it takes like three hours to drive from Windsor to Toronto.
So that's pretty far. And you say Detroit, so we're actually sending patients to the states
to get care.
Yes. And the government was approving that because they had to get OHIP approval to cover the cost,
right? Because, you know, you couldn't expect patients to bear that cost.
But, you know, for some of the patients going to Detroit was a lot more convenient. It's a
half hour drive from Windsor as opposed to two hours of London or three hours of Toronto.
So, yeah, a lot of people whose health care has been disrupted here. We heard about Sheila Thomas
off the top and her experience. Karen, did you talk to anyone else who was affected by these delays causing the cyber attack?
So Ed Wing, he's a 75-year-old retired heating and air conditioning technician.
So he lives in Windsor.
And unfortunately, he has stage four metastatic liver cancer.
So prior to the attack, he already had two biopsies canceled because of
a staph shortage. This was before the cyber attack. This is before the attack. So he's got
a third one set for October 25th, two days after the attack. Obviously, that one gets canceled too.
So he finally gets it on November 10th, but then he needs a CT scan and the hospital tells him, sorry, like we can't even look at booking anything for you until the new year, until 2024.
So his doctor says, look, just go to Emerge and just sit there and, you know, they're going to eventually have to give you this.
So he does that. On November 27th, he goes to emerge at nine o'clock in the morning. 15 hours later,
he gets the scan. We'll be back in a moment.
I mean, this is a really difficult situation for a lot of people here.
What have hospital officials said about all of this?
So this whole attack, everybody's investigating it, right?
We have the local police investigating it.
We have the OPP investigating it. We have the FBI investigating it, plus Interpol. So the hospitals are really like,
beyond telling us like what was stolen, acknowledging that it was a ransomware attack,
and that they didn't pay a ransom. They have only done one news conference back on November 17.
What did they say in that one press conference?
Each hospital CEO, they each spoke for five minutes,
and they obviously expressed a great deal of sympathy for the upheaval it's caused,
and basically gave a little bit of a description
on what was taken and that they're investigating
and that they can't say a lot
about what they're going to be doing
to make the system more secure or anything like that.
But what do we actually know about the hackers themselves?
So this group, they're called Daxon Team.
They specialize in going after hospitals.
They've gone after a lot of hospitals in the U.S.
A lot of those hospitals have actually paid ransoms.
This is why you were saying FBI, like there's other organizations investigating.
This is an international thing.
That's exactly right. Yes.
Do we know how they gained access to all of those patient files at the hospital in Sarnia? Because that seems like they got so much information there.
Sarnia uses a different system to house their patient records. And they acknowledged in their annual report for the fiscal year ending March 31st, 2023, that they have an aging system, one they've been using for more than 30 years, and that the board of directors had agreed to upgrade the system, but there were no more details.
We have no information on how the hackers got into it. Like, did everybody share a password?
We don't know because they won't tell me. Almost every question is we cannot comment because it's under investigation. Do we know, like such an old system,
do we know why Bluewater didn't update its technology if it knew that it was this old?
No, we don't because they won't say.
So I've put that to them because there was a hospital executive was quoted in the local media back in 2013 saying, we're upgrading our system and we're going to use this new system and it's going to cost us $25 million over 10 years.
So that was an article back in 2013.
I did a search of every single news release Blue Waters released beginning with January 2013.
They never said anything about this in any news release.
In 2019, there was another local media story quoting a hospital executive.
So this is after the other four hospitals had announced that they were planning to upgrade their medical record system.
So this story in 2019 quotes a hospital executive saying, we're going to take it slow.
No explanation.
Just we're going to take it slow.
But it sounds like even in 2013, they knew
that they needed to update things, but it sounds like it just didn't happen. Yes. So they only
announced that they're upgrading, moving to the system the other four hospitals use. They announced
that last week. And it's going to take until the end of this year before it's up and running. In the meantime, they are working on getting their old Meditech system back up and running.
They're not saying when that's going to be up and running, which is why they're still using pen and papers to record everything.
So we've talked about this one hospital then.
How did the hackers get access then to the other four hospitals?
So because the five hospitals all use the same IT provider, a company called Transform, and Transform houses not only the hospital's medical records for patients, but it also houses files on, like payroll files, so, you know, information on all the employees and how much they make, their social insurance numbers, and some of what are called these shared files, like the one that the hackers got into at Windsor Regional, the alphabetical files, you know, listing names of patients, what room they're in, why they're in the hospital.
And why do these five hospitals share an IT system?
Like, is that a common thing?
This was something the McGinty government was encouraging hospitals to do back around
2013 when it had organized health care into like 14 regional areas.
This is a way for hospitals to save money because they can share the cost
of their IT systems among a group of hospitals instead of bearing all the costs associated with
getting things up online on their own. Obviously, this is a big problem. What is being done to
prevent this from happening again, Karen?
All the hospitals in Transform, the shared IT provider, are saying is that they're working on, you know, upgrading things, but no details.
Meanwhile, the Ministry of Health, they've asked Ontario Health, which is the umbrella health agency that, you know, oversees all health care delivery in Ontario.
They ask hospitals to all adopt like a similar cybersecurity model.
So, I mean, it sounds like, honestly, this comes down to money.
Hospitals are already strapped for funding and for money, and they don't always have enough to kind of upgrade in this way.
And unfortunately, the cyber attack is costing a lot of money.
I mean, the hospitals have had to bring in cybersecurity experts.
That costs money.
Go through all their systems.
Look what was stolen, you know, getting things back online.
They're also facing a proposed class action lawsuit because of the cyber attacks. So this is, you know, like maybe Blue Water, for whatever reason, did not invest when the other hospitals did in upgrading, but the attack itself is going to cost a lot of money.
We talked about Blue Water and that they're still using pen and paper right now.
What about the state of the other four hospitals?
How are they doing now?
So the other four hospitals are pretty much back to normal.
Obviously, they're working through a backlog that came about
because for two months, nothing was back to normal.
But they're pretty much back to normal.
They've got access to the patient records online.
They're able to do like diagnostic testing again.
So things are pretty much back to normal.
And what about the patients we talked about?
Like I'm thinking in particular about Ed.
Where is he at now?
I talked to Ed yesterday.
And fortunately, he had his first chemo treatment in Windsor yesterday.
So he's quite relieved that he doesn't have to travel across the border or anywhere else for this.
Karen, thank you so much for taking the time to be here today.
You're welcome.
That's it for today.
I'm Maina Karaman-Wilms.
Our producers are Madeline White, Cheryl Sutherland, and Rachel Levy-McLaughlin.
David Crosby edits the show.
Adrienne Chung is our senior producer.
And Angela Pachenza is our executive editor.
Thanks so much for listening, and I'll talk to you tomorrow.