Personal health information of Canadians stored on the test computer of a third-party supplier to an Ottawa hospital has been stolen in a data breach.
Queensway Carleton Hospital said on Saturday the breach of security controls occurred in March at Aetonix Systems Inc., an Ottawa software company that makes the aTouchAway hospital-patient cloud-based communication. The hospital has been using the platform since 2021.
According to the Ottawa Citizen, data on about 100,000 patients was involved.
Patient data that may have been copied includes patient name, gender, date of birth, marital status, mother tongue, home address and postal code, phone number, email address, OHIP number and version, insurance policy number, health care providers, patient ID numbers, patient visit ID (Account/Encounter number), scheduled surgical appointments, past medical history, and procedure description.
The hospital stressed that its electronic medical record and patient portal were not impacted. No credit card, financial, or banking information was included. If people visited a COVID-19 vaccine clinic that was affiliated with QCH, their data was only uploaded to provincial Ministry of Health servers and was not affected by this incident, the hospital added.
In a statement, Aetonix said it learned there had been a breach of security controls on March 13th. It was on a test environment where personal information “had temporarily and improperly been stored.”
“We believe that all data uploaded to our aTouchAway platform by Canada-based healthcare providers, patients and/or their caregivers prior to and including February 23, 2023, which was subsequently copied into the test environment, may have been compromised.
“This incident was a result of data being present in a location where it should not have been stored, and which should not have been accessible via the public web.”
UPDATE: IT World Canada emailed Aetonix asking to interview a senior official for more details. In reply, a company spokesperson said it has nothing to say beyond its media statement
Queensway Carleton has stopped using the Aetonix platform as a result of the incident while it conducts further evaluations “and are confident in the best tools to move forward.”
“We use the Aetonix platform for virtual communication services, care pathways and remote patient monitoring, as well as a host of other tools to support patients,” the hospital’s statement said. “Information for these interactions is sent from a QCH dataset to the Aetonix cloud server. Additionally, some patient registration information from the period between March 2021 and March 2023 was sent to Aetonix for integration purposes.”
“In compliance with provincial requirements, we have notified the Information and Privacy Commissioner of Ontario and we are in the process of notifying all our affected patients,” the hospital said.
“Although the incident was caused by a third-party vendor, we are using the incident as an opportunity to refresh our joint cybersecurity and incident response policies and procedures,” it added. “We have safeguards in place and have taken further steps to limit the risk of this kind of event happening in the future.”
In explaining why it has taken weeks to notify affected individuals, the hospital said it worked to contain the incident, understand its scope, and retain support to respond to it. “Given the complexity of the incident and the involvement of the third party, we needed to take the time to fully understand the facts and appropriate remedies.”