Public Notice

April 28, 2023

Dear QCH Community,

 

A recent data security incident at a third-party software vendor, Aetonix, may have resulted in unauthorized access to some of the personal information provided to Queensway Carleton Hospital (QCH). 

 

Since March 2021, QCH contracted with Aetonix Systems Inc. (“Aetonix”), a Canadian software company, to use their aTouchAway® communication cloud-based platform.

 

Please know there is no evidence that the information has been misused. However, we are notifying affected patients and providing information about resources to help protect their information. Protecting your personal information is a priority at QCH, and we take your privacy and any risk of unauthorized access to your personal health information very seriously.

 

What Happened

In early March, Aetonix discovered that an unauthorized third party gained access to an internal test environment where personal health information of Canadian patients had been temporarily stored.  

 

Out of an abundance of caution, QCH has halted using the platform.

 

Following a thorough review of the incident, Aetonix’s forensic investigation has concluded that the incident may have resulted in your personal health information being accessed or copied by an unauthorized third party.

 

QCH takes the security of personal information very seriously, and we sincerely regret that this incident occurred. We are sending individual letters to the affected patients and are working with the Ontario Privacy Commissioner to ensure we are doing everything we can.

 

How did this affect you?

The investigation has identified that patient data for certain QCH patients over the past two years may have been accessed from the Aetonix cloud platform. If you have been impacted, you will receive a letter in the mail providing further information.

 

QCH had been using the Aetonix platform to provide virtual communication services, care pathways, and remote patient monitoring for QCH patients. Additionally, some patient registration information from the period between March 2021 and March 2023 was sent to Aetonix and may have also been accessed by the unauthorized third party.

 

We want to stress that neither QCH nor Aetonix are aware of any misuse of this information and Aetonix’s investigation could not confirm whether any unauthorized person actually viewed or copied your information.

 

The data potentially accessed may include:

  • Patient ID numbers (MRN – Medical Record Number)
  • Patient visit ID (Account/Encounter number)
  • Demographic information: patient name, gender, date of birth, marital status, mother tongue
  • Contact information: home address, postal code, phone number, email address
  • OHIP number and version
  • Insurance policy number
  • Health care providers
  • Scheduled surgical appointment dates/times
  • Past medical history
  • Procedure description

It is important to note that the electronic medical record (“EMR”) system used at QCH was not impacted. This incident only involved Aetonix’s systems. This incident also does not involve credit card, financial, or banking information about you, which is never requested by us.

 

What We Are Doing

QCH took multiple steps to contain and remediate the incident:

  • Upon learning of the incident, QCH immediately sought clarification from Aetonix on the scope of the data impacted and measures implemented to secure the environment.
  • We immediately requested and received assurances that Aetonix has secured its environment by deploying specialized tools.
  • We halted our use of the Aetonix platform.
  • In compliance with provincial requirements, we have notified the Information and Privacy Commissioner of Ontario and we are in the process of notifying all our affected patients.
  • Although the incident was caused by a third-party vendor, we are using the incident as an opportunity to refresh our joint cybersecurity and incident response policies and procedures.

What You Can Do

Unfortunately, Aetonix has been unable to provide individuals with information about the specific data accessed. However, as a courtesy to QCH patients impacted, we have retained the assistance of TransUnion Canada, Inc. (“TransUnion”), one of Canada’s leading consumer reporting agencies.

 

Impacted patients will receive a letter containing more information on how to register for a subscription to TransUnion myTrueIdentity, an online credit monitoring service, at no cost to those patients who have been impacted.

 

We encourage those patients who are impacted that they take advantage of this service and help protect their identity.

 

The service provides:

  • Unlimited online access to the TransUnion Credit report, updated daily. A credit report is a snapshot of a consumer’s financial history and primary tool leveraged for determining credit-related identity theft or fraud.
  • Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily. A credit score is a three-digit number calculated based on the information contained in a consumer’s credit report at a particular point in time.
  • TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file. In today’s virtual world, credit alerts are a powerful tool to protect against identity theft, enable quick action against potentially fraudulent activity, and provide overall confidence to potentially impacted consumers.
  • Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
  • Identity theft insurance of up to $1,000,000 in coverage to protect against potential damages related to identity theft and fraud.*
  • Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.

*Underwritten by AIG Insurance Company of Canada.

 

Although there is no indication that any information involved in the Incident has been misused, we would like to remind everyone to be diligent, as always, when protecting your identity by monitoring your accounts and remaining vigilant for incidents of fraud and identity theft. You should also be mindful of phishing attempts and take care when responding to unsolicited communications (whether electronic or otherwise) that reference or request your personal information or account credentials.

 

QCH will not contact you by email, requesting you to provide or verify sensitive personal information. When in doubt or if you have any concerns about the validity of any emails QCH sends, please contact us as indicated below.

 

What Else You Can Do

If your health card number has been affected by the Incident, you should call ServiceOntario INFOline at 1-866-532-3161 or 1-800-387-5559 to report your lost or stolen health card number. If you suspect misuse of your health card number, you can report suspected cases of fraud by calling the Ministry of Health and Long-Term Care at 1-888-781-5556 or e-mail at reportohipfraud@moh.gov.on.ca.

 

You may also wish to review this publication from the Information and Privacy Commissioner of Ontario, Identity Theft: A Crime of Opportunity.

 

For More Information

Again, we regret that this incident occurred and apologize for any inconvenience it has caused.

 

If you have any questions or if you desire further information or assistance, we have set up a dedicated call centre with TransUnion to address any additional questions. Please contact TransUnion at 1 833-570-3044.

 

You are also entitled to file a complaint to the Office of the Information and Privacy Commissioner (IPC) of Ontario.

 

Should there be any further information about this Incident and your personal information, we will provide updates on this webpage.

 

Q&A

How will I know if my information has been compromised?

We take the privacy and security of our patients very seriously, and we are actively working to address this situation. If you are among the affected individuals, you will receive a formal letter notifying you about the breach and providing guidance on the necessary steps to take. The letter will contain specific details and instructions tailored to your situation.

 

How long will it take to receive the notification letter? 

We understand the urgency and the importance of promptly notifying affected individuals and are sending letters the week of May 1st. We have enlisted TransUnion Canada, one of Canada’s leading consumer reporting agencies, to assist us with those notifications.

 

Can I call to see if I have been impacted by this data breach?

If you have questions, you can call the call center at 1 833-570-3044, however, for security and privacy reasons, we are unable to confirm an individual’s involvement over the phone.

 

What if my address has changed?

If you have not received a notification by May 30th 2023 and you are concerned that your information was included in the data breach, please complete a Consent to Disclose Personal Health Information form and submit the information to the QCH Health Records Department.  More information can be found at:  https://qch.on.ca/PersonalHealthInfo under the heading “Requesting Access to Personal Health Information at QCH”.

 

Have you contacted the individuals whose information may have been compromised?

The distribution of letters to patients affected by this incident will begin the week of May 1. Patients will be invited, if they wish, to access the additional TransUnion services.

 

I received my covid vaccine at the QCH vaccination clinic, was this data part of the incident?

If people visited a vaccine clinic that was affiliated with QCH, their data was only uploaded to Ministry of Health servers and was not affected by this incident.

 

Does the incident include my data in the patient portal or Electronic Medical Record?

The Patient Portal and Electronic Medical Records were not impacted. 

 

What exact information was taken?

Impacted individuals will receive a letter containing more information on their information that was potentially impacted.  We understand that this can be worrisome. Please know there is no indication that any information has been misused.

 

Has the stolen data been shared publicly? Has there been a threat to share the data?

As of the date of this notice, we are not aware of any misuse of the data potentially impacted by the incident.  Aetonix continues to monitor the Internet for any activity and potential misuse of the data. We will share any updates or developments on our website, should there be any.

 

Why did this confidential information end up on this application?

We use the Aetonix platform for virtual communication services, care pathways and remote patient monitoring, as well as a host of other tools to support patients. Information for these interactions is sent from a QCH dataset to the Aetonix cloud server. Additionally, some patient registration information from the period between March 2021 and March 2023 was sent to Aetonix for integration purposes.

 

What measures are in place to prevent a recurrence?

We have requested and received assurances that Aetonix has secured its environment using specialized tools to ensure no further unauthorized access occurs. In addition, we have halted our use of Aetonix tools and platform while we conduct further evaluations ourselves and are confident in the best tools to move forward.

 

Why was there a delay in notifying patients/the public?

We immediately worked to contain the incident, understand its scope, and retain support to respond to it. Given the complexity of the incident and the involvement of the third party, we needed to take the time to fully understand the facts and appropriate remedies.

 

Is our information safe now?

We have halted the use of the Aetonix platform. We take the security and privacy of personal health information very seriously. We have safeguards in place and have taken further steps to limit the risk of this kind of event happening in the future.