MGH campus transformation
MGH’s campus transformation continues with major renovation work. Patients and visitors can expect to experience noise, hallway closures and detours around the hospital. Learn more about our campus transformation.
Frequently Asked Questions about Data Security Incident at Michael Garron Hospital (MGH)
Last updated: January 17, 2024
This page includes answers to frequently asked questions about a data security incident that Michael Garron Hospital (MGH) experienced on October 23, 2023.
1. What happened?
On October 23, 2023, MGH suffered a data security incident. While critical information and clinical application systems remained uninterrupted, MGH has learned that data stored on a hospital file shared drive was exposed. At this time, there is no indication that our patient health information database (Oracle Cerner PowerChart) was compromised.
We have confirmed that the data security incident was perpetrated by a cyber threat actor group. We did not pay a ransom and we are aware that data connected to the incident may be published. Having received the advice and counsel of leading third-party experts, we determined we would not yield to ransom demands. Our programs and patient care services continue to operate normally and MGH remains a safe place to receive care.
2. How did the data security incident occur?
We are currently investigating and have not yet determined how the incident occurred.
3. Are the police aware of the incident?
We are working with law enforcement and government agencies to address this incident. We have also reported the incident to the Information and Privacy Commissioner of Ontario. We are grateful for their continued support.
4. Is the incident related to the cyberattack experienced by other hospitals in southwestern Ontario in November 2023?
At this time, there is no indication this incident is related to the cyberattack experienced by other hospitals in southwestern Ontario.
5. What data was exposed in the data security incident and who is affected?
We have determined that the following individuals are likely affected:
-
MGH employees and credentialed clinicians employed from January 2015 to November 2023: The exposed information for these individuals includes home addresses, social insurance numbers, banking information and earnings information.
-
Some current and former MGH and foundation board members: The exposed information for these individuals includes home addresses, dates of birth, passport information, driver’s license numbers, social insurance numbers and banking information.
-
Some MGH volunteers who were at MGH from 2022 onward: The exposed information for these individuals includes phone numbers, mailing addresses and vaccination statuses.
-
Some medical students and learners who were at MGH from March 2020 onward: The exposed information for these individuals includes phone numbers, mailing addresses, banking information, email addresses and resume information.
6. Are current and former patients and donors affected by the incident?
We know some patients and donors are affected, though it will take us time to analyze data to determine who is affected and how. We will continue to be transparent and will notify those affected as appropriate.
7. When will the hospital know the extent of the data exposure, including everyone who is affected and how?
The investigation and analyzing of data are ongoing and will take significant time – likely weeks or months – to complete. We appreciate your patience and support as our investigation continues. We are committed to providing updates as we learn more.
8. How will affected individuals be notified about this incident?
All current employees and credentialed clinicians received formal notification of the incident on November 10, 2023, along with an enrollment code for free credit monitoring services for a two-year period. If you are currently employed by MGH and did not receive an enrollment code, please contact @email or 1-888-339-0437.
MGH began notifying affected former employees and credentialed clinicians by mail during the week of November 27, 2023. They also received access to free credit monitoring services for a two-year period. If you are a former employee or credentialed clinician and you did not receive information by mail by December 22, 2023, please contact @email or 1-888-339-0437.
Affected current and former board members, learners and volunteers will be notified by email or mail in January 2024. For other individuals whose data is affected, we need to first analyze the data. This will take significant time – likely weeks or months – to complete. We appreciate your patience and support as our investigation continues.
9. What supports or resources are available for current and former employees and credentialed clinicians?
Given the nature of the information exposed, MGH will be providing current and former eligible employees and credentialed clinicians with a free credit monitoring service for a period of two years – a service that allows one to check for signs of identity fraud so protective action can be taken. This protective service is of significant benefit today, and we encourage recipients to take advantage of it. Learn more about credit monitoring services.
Current MGH employees and credentialed clinicians can also access the hospital’s Employee and Family Assistance Program, Homewood Health, which is available for everyone 24 hours a day, seven days a week and is completely free and confidential.
10. How can I access the free credit monitoring service?
All current MGH employees and credentialed clinicians received an email from MGH on November 10, 2023. This email included more information and an enrollment code. This protective service is of significant benefit and we encourage recipients to take advantage of it. Former eligible employees and credentialed clinicians will receive information by mail.
11. I am a former employee or credentialed clinician or I know of a former employee or credentialed clinician who would like to ensure MGH has their most up-to-date mailing address. How can I share this address?
Former affected employees and credentialed clinicians were notified by mail during the week of November 20, 2023. We used the mailing addresses we have on file. If you are a former employee or credentialed clinician and you did not receive information by mail by December 22, 2023, please contact @email or 1-888-339-0437.
12. I am a current employee or credentialed clinician and I have not received an email with information and an enrollment code for the free credit monitoring service. What should I do?
If you are a current employee of credentialed clinician and you have not yet received this information by email, please email @email or call 1-888-339-0437.
13. I am having technical difficulties redeeming my enrollment code on TransUnion’s website. What should I do?
If you experience any technical difficulties accessing these services, please contact TransUnion at 1-888-228-4939.
14. I was already enrolled in credit monitoring services with TransUnion. Can I still redeem the free two-year credit monitoring services with MGH?
If you are already enrolled in credit monitoring services with TransUnion, you can use the code we provided you to extend your period of coverage. You will need to contact TransUnion to do this. Please contact TransUnion at 1-888-228-4939 for assistance.
15. Will enrolling in the credit monitoring service affect my credit score?
No, enrolling in the credit monitoring service will not affect your credit score. We encourage eligible individuals to enroll in this service to protect themselves.
16. Why is the free two-year credit monitoring service not available for some affected individuals?
MGH provided credit monitoring to individuals whose exposed information places them at an elevated risk of identity fraud.
17. If it is confirmed that patients and donors are affected by the incident, will they be offered free two-year credit monitoring services?
MGH will make further credit monitoring offers if warranted based on the type of information exposed, noting that the compromise of medical information is not typically associated with a risk of identity fraud.
18. Besides enrolling in the credit monitoring service if they are offered it, what can affected individuals do to protect themselves and their data?
We recommend enrolling in the free two-year credit monitoring service offered by MGH through TransUnion if you are offered it. You may also consider the following:
-
Contact TransUnion and Equifax, the two primary credit bureaus in Canada, and request a fraud alert be added to your account. A fraud alert is free. It is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. Fraud alerts are proactive, protective measures because they may cause lenders to take extra steps to verify identity. Please note placing a fraud alert on your account may result in transactional delays with lenders. Learn more about fraud alerts.
-
Contact your bank to speak with them about what has happened. Your bank may recommend next steps that you can take.
-
Review the resources available on the Canadian Anti-Fraud Centre’s website.
19. What can employees and credentialed clinicians do to protect themselves after the two-year period that MGH is offering credit monitoring services for?
After your free two-year credit monitoring service offered by MGH expires, you may choose to add or maintain a fraud alert on your accounts with TransUnion and Equifax, Canada’s two primary credit bureaus. A fraud alert is free. It is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. Fraud alerts are proactive, protective measures because they may cause lenders to take extra steps to verify identity. Please note placing a fraud alert on your account may result in transactional delays with lenders. Learn more about fraud alerts.
20. After the two-year period, I would like to continue using the credit monitoring service with TransUnion. Is this possible?
Yes, after the two-year period, you may enroll in TransUnion’s credit monitoring service on their website. You may also contact TransUnion at 1-888-228-4939 for support.
21. What measures is the hospital taking to prevent further data security incidents?
We have already begun making significant improvements to our network security. When our investigation is complete, we will respond to the learnings in a manner that better protects us from these types of data security incidents in the future. In addition, we are continuing to implement proactive measures to safeguard our hospital network and information systems.
22. Why does MGH have data and information for employees and clinicians who no longer work for or are credentialed at the hospital?
MGH retains employee information to comply with income tax remittance laws and regulation. MGH is required to maintain relevant financial records for a minimum of seven years.
23. How can I stay updated about this incident, especially as new information emerges?
We are committed to providing updates to current employees and credentialed clinicians by email and on our employee intranet as we learn more. For all other groups, including former employees and credentialed clinicians, we will share updates through our website, tehn.ca. We encourage you to check back as needed.
24. I have questions and concerns about the incident that are not addressed on this page. Who should I contact?