Notification of a cybersecurity incident

Arnprior Regional Health became aware in December 2021 of an unauthorized access to our IT system. Our investigation has confirmed that personal information of some of our patients was accessed.

It is important to note that the Electronic Health Record system was not impacted, and we experienced no disruption to the delivery of healthcare or other services we provide. There is no evidence of further misuse of the data, and we have received assurance that the data has been deleted.

Upon discovering the incident, we retained cyber forensic experts to conduct a comprehensive investigation. Based on the investigation to date, the following categories of ARH patients were impacted:

Category 1 – Past Patients

If you were a patient at ARH between April 1996 – January 2010 you were impacted. Your data, including name, date of birth, contact information, demographic data, and health card number may have been accessed.

Category 2 – ER Patient Satisfaction Information

If you visited the emergency room at ARH during March 2009 – February 2010 you were impacted. Your data, including name, date of birth, contact information, and time of visit may have been accessed. If you visited the emergency room between December 2009 – February 2010 your diagnosis may have also been accessed.

NOTE: your data has not been impacted if you visited the emergency room during these dates for any of the following: any deaths, suicidal thoughts, miscarriage, abortion, grieving, morning after pill/contraception, bizarre behavior, substance over dose, vital signs absent, homeless, sexual assault, domestic assault, physical assault, altered level of consciousness, or palliative care.

Category 3 – ER Patient Satisfaction Information

If you visited the emergency room at ARH during July 2016 – November 2021 (excluding March 16-31, 2017) you were impacted. Your data, including name, date of birth, health card number, and time of visit may have been accessed.

NOTE: your data has not been impacted if you visited the emergency room during these dates for any of the following: any deaths, suicidal thoughts, miscarriage, abortion, grieving, morning after pill/contraception, bizarre behavior, substance over dose, vital signs absent, homeless, sexual assault, domestic assault, physical assault, altered level of consciousness, or palliative care.

Category 4 – In-Patient Satisfaction Information

If you were admitted to ARH as an in-patient (i.e. overnight) during April 2009 – February 2010 (excluding July 2009 and October 2009), March 2014, or July 2016 – November 2021 (excluding March 16-31, 2017), you were impacted. Your data, including name, date of birth, contact information and time of visit may have been accessed. If you attended in March 2014, your diagnosis may have also been accessed.

NOTE: your data has not been impacted if you were admitted as an in-patient during these dates for any of the following: any deaths, suicidal thoughts, miscarriage, abortion, grieving, morning after pill/contraception, bizarre behavior, substance over dose, vital signs absent, homeless, sexual assault, domestic assault, physical assault, altered level of consciousness, or palliative care.

Category 5 – Colonoscopy

If you had a colonoscopy performed at ARH during March 2017 – August 2021 (excluding August 2017, October 2017, December 2017, June 2018, July 2018, February 2019, April 2021, May 2021) you were impacted. Your data, including name, date of procedure, health card number, procedure information, and date of birth may have been accessed.

Category 6 – COVID Testing

If you had a COVID test booked through one of Renfrew County’s mass swabbing centres during November 2, 2020 – September 29, 2021 you were impacted. Your data, including name, date of birth, address, contact information, demographic info, date of test, and potentially health card number may have been accessed.

Category 7 – COVID Vaccinations

If you received a COVID vaccination at one of Renfrew County’s mass vaccination clinics between March 2021 and May 2021, you were impacted. Your data, including name, date of birth, address, contact information, demographic info, date of vaccination, and potentially health card number may have been accessed.

Category 8 – Employee Vaccination Status

If you worked at ARH between September 2021 – December 2021, your vaccination status may have been accessed.

As part of its investigation, ARH also determined that certain records belonging to the Arnprior District Family Health Team were impacted. Based on the investigation to date, the following categories of Family Health Team patients were impacted:

Category 9 – Patient Waitlists

If you were on a physician waitlist with the Family Health Team from 2010-2022, you were impacted. Your data, including name, date of birth, address, contact information, and potentially health card number may have been accessed.

Category 10 – Patient Waitlists

You were impacted if you were a patient of Dr. McBride in August 2007 or March 2011, of Dr. Robson in June 2017, and of Dr. Villis or Dr. Kiskis in July of 2018, or of the Arnprior Medical Group generally in July 2020. Your data, including name, contact information, date of birth, and potentially health card number may have been accessed.

Category 11 – Flu Shot

If you were contacted by the Flu Shot clinic in 2017 or 2019-2020, you were impacted. Your data, including name, contact information and personal health information may have been accessed.

Please also note that if your personal information was impacted other than in the categories above, then you will receive an individual notification.

This matter is of the utmost concern to Arnprior Regional Health and is being treated as our highest priority. We apologize for the inconvenience this unfortunate incident may cause you.

Going forward, we are taking a number of additional measures to strengthen our systems. Working in collaboration with our internal IT team and external IT experts, we are continuing to invest in leading edge technologies to protect our systems and data from ever-growing cybersecurity threats.

Arnprior Regional Health working in conjunction with the Arnprior District Family Health Team has set up a dedicated call centre for this incident to answer any questions you might have: 1-833-806-1882.

The Information and Privacy Commissioner of Ontario (IPC) has been notified of the breach. To file a complaint, please visit: https://www.ipc.on.ca/resources/forms/

Again, on behalf of Arnprior Regional Health, I want to emphasize that we are treating this matter with the utmost concern and apologize for any inconvenience this incident may have caused you.

 

Sincerely,

Leah Levesque

President and CEO

Arnprior Regional Health

 

For more information, read the Cybersecurity Incident FAQs.