Ontario health agency informed of cyberattack more than 2 months before telling patients

Ontario Health atHome was told by one of its vendors about a cyber incident on April 14, according to new information. It waited until June 27 to begin telling patients.

The provincial agency overseeing Ontario’s home care system was informed about a massive data breach in April, Global News has learned, more than two months before the public, along with hundreds of thousands of impacted patients, were notified.

Ontario Health atHome, a Crown agency recently created by the Ford government to coordinate resources for home care and palliative patients, has been under scrutiny after a cyberattack that impacted one of its vendors was kept under wraps for months.

The attack, believed to have affected as many as 200,000 patients, took place sometime in March but was only revealed to the public in late June.

Now, officials with the agency have confirmed that they were made aware of a cybersecurity incident as early as April 14, but waited until the end of May to inform Ontario’s Information and Privacy Commissioner — as required by law — and until June 27 to tell patients.

“On April 14, Ontario Medical Supply (OMS) notified Ontario Health atHome that it was experiencing system outages and a potential cyberattack impacting their information system and operations,” a spokesperson for Ontario Health atHome told Global News.

The latest revelation has led to accusations of “deception” by the health agency, which indirectly reports to Health Minister Sylvia Jones.

While the extent of the cyberattack in March remains unclear, Ontario Medical Supply claims to have been unaware of the incident because the company’s system didn’t go down until mid-April.

Officials with Ontario Health atHome said on or around April 14, OMS found out its system had suffered some kind of cyber breach, triggering an investigation into the situation.