Frequently asked questions about data security incident from October 2023 at Michael Garron Hospital

Last updated: January 24, 2025

This webpage includes answers to frequently asked questions about a data security incident that Michael Garron Hospital experienced on October 23, 2023. In November 2024, this webpage was updated to include information about affected Michael Garron Hospital patients and affected Michael Garron Hospital Foundation donors. 

What happened?

On October 23, 2023, Michael Garron Hospital experienced a data security incident. While critical information and clinical application systems were uninterrupted, data stored on one of Michael Garron Hospital’s servers was exposed. Our patient health information database was not compromised. 

We immediately took steps to protect our data and information systems. We also immediately launched an investigation into the incident in collaboration with leading third-party experts and notified the appropriate stakeholders of the incident and our investigation. These stakeholders included our employees, credentialed clinicians, learners and volunteers; patients and community members; Michael Garron Hospital Foundation donors; and our hospital and foundation Boards of Directors. 

In November 2023, we confirmed the exposed data included personal information belonging to certain individuals, including current employees and credentialed clinicians, as well as certain former employees and credentialed clinicians, board members, learners and volunteers at Michael Garron Hospital. We notified these affected individuals between November 2023 and January 2024. We also confirmed that this data included personal health information belonging to some patients at Michael Garron Hospital and personal information belonging to some Michael Garron Hospital Foundation donors. 

In fall 2024, after concluding an investigation with leading third-party experts, we notified affected patients at Michael Garron Hospital and affected Michael Garron Hospital Foundation donors through the hospital website. This notice is also accessible through Michael Garron Hospital Foundation’s website. 

We have confirmed that the data security incident was perpetrated by a cyber threat actor group. Please note that, at this time, we have no evidence that any personal information, including personal health information, was misused. 

Our programs and patient care services continue to operate normally and Michael Garron Hospital remains a safe place to receive care. In addition, it is safe to donate to Michael Garron Hospital Foundation. The foundation website, mghf.ca, is secure and our donation webpages encrypt donor information ahead of transmission to a third-party payment processor.   

We wish to thank everyone who responded to this incident, including our healthcare teams, community partners, government agencies and law enforcement services. We also want to thank our patients, community members, staff, credentialed clinicians and Michael Garron Hospital Foundation donors for their patience and ongoing support. 

If Michael Garron Hospital experienced the incident, why were Michael Garron Hospital Foundation donors affected? 

Although Michael Garron Hospital and Michael Garron Hospital Foundation are two separate entities, we work together closely and share certain resources, including Information Technology (IT) infrastructure.

Are the police aware of the incident?

We worked with law enforcement and government agencies throughout our response to this incident. We have also been in communication with the Information and Privacy Commissioner (IPC) of Ontario. We are grateful for their continued support. 

Who was affected and what data was exposed in the data security incident? 

Our investigation revealed that the following information was exposed. Please note that, at this time, we have no evidence that any personal information, including personal health information, was misused. 

• Michael Garron Hospital employees and credentialed clinicians employed from January 2015 to November 2023: The exposed information for these individuals includes home addresses, social insurance numbers, banking information and earnings information.  
• Some current and former Michael Garron Hospital and Michael Garron Hospital Foundation board members: The exposed information for these individuals includes banking information, dates of birth, driver’s license numbers, home addresses, passport information and social insurance numbers. 
• Some volunteers who were at Michael Garron Hospital from 2022 onward: The exposed information for these individuals includes mailing addresses, phone numbers and vaccination statuses.  
• Some medical students and learners who were at Michael Garron Hospital from March 2020 onward: The exposed information for these individuals includes banking information, email addresses, phone numbers and resume information.  
• Inpatients from January 2015 to October 2023: The exposed information for these individuals includes admission and discharge dates, dates of birth, diagnoses, health card numbers, mailing addresses, names, names of treating physicians, patient identification numbers, procedures received while at Michael Garron Hospital, and sexes. 
• Inpatients admitted from August 2021 to October 2023 and who were prescribed oral or topical medication: The exposed information for these individuals also includes prescription information. 
• Inpatients and dialysis patients who received parenteral medication compounded by Michael Garron Hospital’s pharmacy between August 2018 and October 2023: The exposed information for these individuals also includes prescription information. 
• Outpatients who attended one of Michael Garron Hospital’s clinics in 2016, 2017, 2021, 2022, and from January  to October 2023: The exposed information for these individuals includes admission and discharge dates, dates of birth, health card numbers, the internal codes identifying the service which provided your treatment at Michael Garron Hospital, mailing addresses, names, names of treating physicians, patient identification numbers, sexes, and telephone numbers. 
• Michael Garron Hospital Foundation donors: For certain donors, the exposed information includes addresses; ages/dates of birth; dates of death; donation dates, types, and/or amounts; education information; email addresses; ethnicity information; estimated donation ability; expiry dates of payment card; financial account information; gender; marital status; names; and phone numbers. 

What measures are Michael Garron Hospital and Michael Garron Hospital Foundation taking to prevent further data security incidents?   

We have invested significantly in additional security measures to better protect our hospital network and information systems, and to ensure the security of the data that Michael Garron Hospital and Michael Garron Hospital Foundation store. This includes upgrading cybersecurity software, enhancing existing network and information systems, and engaging leading third-party experts to monitor the potential misuse of exposed data. We also continuously review our policies and procedures to help prevent future incidents.

How were affected individuals notified about this incident?  

We notified current employees and credentialed clinicians of the incident by email on November 10, 2023. We began notifying affected former employees and credentialed clinicians by mail during the week of November 27, 2023.  

We notified affected current and former board members, learners and volunteers by email or mail in January 2024. We notified affected Michael Garron Hospital patients and most affected Michael Garron Hospital Foundation donors through the hospital website in November 2024. This notice is also accessible through Michael Garron Hospital Foundation’s website. We also notified certain donors by mail in November 2024. Please note that delivery of this mail may be delayed by service disruptions at Canada Post.

I’m affected by this incident. Why didn’t I receive an email or mail informing me? 

We notified current employees and credentialed clinicians of the incident by email on November 10, 2023. We began notifying affected former employees and credentialed clinicians by mail during the week of November 27, 2023. We notified affected current and former board members, learners and volunteers by email or mail in January 2024. We notified certain donors by mail in November 2024. Please note that delivery of this mail may be delayed by service disruptions at Canada Post.

We notified affected Michael Garron Hospital patients and most affected Michael Garron Hospital Foundation donors through the hospital website. This notice is also accessible through Michael Garron Hospital Foundation’s website. 

Why did it take so long for Michael Garron Hospital to notify patients and for Michael Garron Hospital Foundation to notify donors? 

We previously reported that our investigation into the exposure of Michael Garron Hospital patient and Michael Garron Hospital Foundation donor information was ongoing, and that this investigation would likely take weeks or months to complete. This investigation was complex, and it took time to determine what information was exposed. We take the protection of personal information, including personal health information, very seriously and will continue to be as open as possible. 

I am an employee or credentialed clinician at Michael Garron Hospital and am also a patient at the hospital. How does this affect me? 

If you are an employee or credentialed clinician at Michael Garron Hospital, the exposed information includes the information listed in the email or mail you received between November 2023 and January 2024. If you are also a patient at Michael Garron Hospital, then your exposed information may also include the information listed in the notice posted on the hospital's website. Please note that, at this time, we have no evidence that any personal information, including personal health information, was misused. 

I am an employee or credentialed clinician at Michael Garron Hospital and am also a Michael Garron Hospital Foundation donor. How does this affect me? 

Thank you for your philanthropic support. If you are an employee or credentialed clinician, the exposed information includes the information listed in the email or mail you received between November 2023 and January 2024. If you are also a Michael Garron Hospital Foundation donor, then your exposed information likely includes the information listed in the notice posted on the hospital website. This notice is also accessible through Michael Garron Hospital Foundation’s website. Please note that, at this time, we have no evidence that any personal information, including personal health information, was misused. 

I am an affected patient and I’d like to file a complaint. How can I do this? 

Patients whose personal health information was exposed have the right to file a complaint. Should you wish to do so, you can contact the Information and Privacy Commissioner of Ontario (IPC) via its website (ipc.on.ca/en/resources/information-individuals). While you are welcome to file a complaint with the IPC, it is not necessary to do so as the IPC is already investigating this matter. 

Why is the free credit monitoring service not available for some affected individuals?  

Michael Garron Hospital and Michael Garron Hospital Foundation provided a free two-year credit monitoring subscription to individuals whose exposed information may place them at an elevated risk of identity fraud. 

I was offered free credit monitoring service due to the incident. How can I access this service? 

We offered a free two-year credit monitoring service for individuals affected by this incident whose exposed information may place them at an elevated risk of identity fraud. Instructions on how to access this service are included in the email or mail you received. 

In this email or mail, we shared an enrollment code and instructions for how to register for this service. This protective service is of significant benefit and we encourage recipients to take advantage of it. 

I am having technical difficulties redeeming my enrollment code for credit monitoring service on TransUnion’s website. What should I do?  

If you experience any technical difficulties accessing these services, please contact TransUnion at 1-888-228-4939.  

I was already enrolled in credit monitoring service with TransUnion. Can I still redeem the free credit monitoring service with Michael Garron Hospital and Michael Garron Hospital Foundation?  

If you are already enrolled in credit monitoring services with TransUnion, you can use the code we provided you to extend your period of coverage. To do so, please contact TransUnion at 1-888-228-4939 for assistance.  

Will enrolling in the credit monitoring service affect my credit score?  

No, enrolling in the credit monitoring service will not affect your credit score. We encourage eligible individuals to enroll in this service to protect themselves. 

Besides enrolling in the credit monitoring service if they are offered it, what can affected individuals do to protect themselves and their data?  

We recommend enrolling in the free two-year credit monitoring service offered by Michael Garron Hospital and Michael Garron Hospital Foundation through TransUnion if you are offered it. You may also consider the following:  

• Contact TransUnion and Equifax, the two primary credit bureaus in Canada, and request a fraud alert be added to your account. A fraud alert is free. It is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. Fraud alerts are proactive, protective measures because they may cause lenders to take extra steps to verify identity. Please note placing a fraud alert on your account may result in transactional delays with lenders. Learn more about fraud alerts.  
• Contact your bank to speak with them about what has happened. Your bank may recommend next steps that you can take.  
• Review the resources available on the Canadian Anti-Fraud Centre’s website. 

I was offered the free credit monitoring service due to the incident and would like to continue using this service with TransUnion after the two-year period. Is this possible?  

Yes, after the two-year period, you may enroll in TransUnion’s credit monitoring service on their website. You may also contact TransUnion at 1-888-228-4939 for support. 

Why does Michael Garron Hospital have data and information for employees and clinicians who no longer work for or are credentialed at the hospital?  

Michael Garron Hospital retains employee information to comply with income tax remittance laws and regulations. The hospital is required to maintain relevant financial records for a minimum of seven years. 

Why does Michael Garron Hospital have data and information for patients who no longer receive care at the hospital? 

Michael Garron Hospital retains personal health information in accordance with the Public Hospitals Act, which generally requires it to retain personal health information for 10 years after a patient receives care.

Why does Michael Garron Hospital Foundation have data and information for donors who no longer donate to the hospital?  

Canada Revenue Agency requires that registered charities maintain records and supporting documents for a period of six years from the end of the last tax year to which they relate. Michael Garron Hospital Foundation also keeps information of lapsed donors in hopes of keeping them engaged. 

I have questions and concerns about the incident that are not addressed on this webpage. Who should I contact?

If you have a donor-related question that is not addressed in the FAQ, please contact @email. If you have a patient-related question that is not addressed in the FAQ, please contact @email or 416-469-6096.

If you are a member of the media, please contact @email.