MGH campus transformation
MGH’s campus transformation continues with major renovation work. Patients and visitors can expect to experience noise, hallway closures and detours around the hospital. Learn more about our campus transformation.
Frequently Asked Questions about Data Security Incident at Michael Garron Hospital (MGH)
Last updated: November 22, 2023
This page includes answers to frequently asked questions about a data security incident that Michael Garron Hospital (MGH) experienced on October 23, 2023.
1. What happened?
On October 23, 2023, MGH suffered a data security incident. While critical information and clinical application systems remained uninterrupted, MGH has learned that data stored on a hospital file shared drive was exposed. At this time, there is no indication that our patient health information database (Oracle Cerner PowerChart) was compromised.
We have confirmed that the data security incident was perpetrated by a cyber threat actor group. We did not pay a ransom and we are aware that data connected to the incident may be published. Having received the advice and counsel of leading third-party experts, we determined we would not yield to ransom demands. Our programs and patient care services continue to operate normally and MGH remains a safe place to receive care.
2. How did the data security incident occur?
We are currently investigating and have not yet determined how the incident occurred.
3. Are the police aware of the incident?
We are working with law enforcement and government agencies to address this incident. We have also reported the incident to the Information and Privacy Commissioner of Ontario. We are grateful for their continued support.
4. Is the incident related to the cyberattack affecting other hospitals in southwestern Ontario?
At this time, there is no indication this incident is related to the cyberattack recently experienced by other hospitals in southwestern Ontario.
5. What data was exposed in the data security incident and who is affected?
Data in files stored on a hospital file shared drive were exposed. We have determined that MGH employees and credentialed clinicians employed from January 2015 to November 2023 are likely affected by this incident. At this time, we can confirm the exposed information includes home addresses, social insurance numbers, bank account numbers and earnings information.
6. Are current and former patients, donors, learners and volunteers affected by the incident?
We know that some patients and donors are affected by the incident, though it will take us time to analyze data to determine who is affected and how. We also need to further analyze the data to determine if learners and volunteers were affected and, if so, how. We will continue to be transparent and will notify those affected as appropriate.
7. When will the hospital know the extent of the data exposure, including everyone who is affected and how?
The investigation and analyzing of data are ongoing and will take significant time – likely weeks or months – to complete. We appreciate your patience and support as our investigation continues. We are committed to providing updates as we learn more.
8. How will affected individuals be notified about this incident?
All current employees and credentialed clinicians received formal notification of the incident on November 10, 2023, along with an enrollment code for free credit monitoring services for a two-year period. If you are currently employed by MGH and did not receive an enrollment code, please email @email or call 1-888-339-0437.
Former affected employees and credentialed clinicians will be notified by mail during the week of November 27, 2023. They will also receive access to free credit monitoring services for a two-year period. If you are a former employee or credentialed clinician and you have not received information by mail by December 22, 2023, please email @email or call 1-888-339-0437.
For other individuals whose data is affected, we need to first analyze the data. This will take significant time – likely weeks or months – to complete. We appreciate your patience and support as our investigation continues.
9. What supports or resources are available for current and former employees and credentialed clinicians?
Given the nature of the information exposed, MGH will be providing current and former eligible employees and credentialed clinicians with a free credit monitoring service for a period of two years – a service that allows one to check for signs of identity fraud so protective action can be taken. This protective service is of significant benefit today, and we encourage recipients to take advantage of it. Learn more about credit monitoring services.
Current MGH employees and credentialed clinicians can also access the hospital’s Employee and Family Assistance Program, Homewood Health, which is available for everyone 24 hours a day, seven days a week and is completely free and confidential.
10. How can I access the free credit monitoring service?
All current MGH employees and credentialed clinicians received an email from MGH on November 10, 2023. This email included more information and an enrollment code. This protective service is of significant benefit and we encourage recipients to take advantage of it. Former eligible employees and credentialed clinicians will receive information by mail.
11. I am a former employee or credentialed clinician or I know of a former employee or credentialed clinician who would like to ensure MGH has their most up-to-date mailing address. How can I share this address?
Former affected employees and credentialed clinicians will be notified by mail during the week of November 20, 2023. We will use the mailing addresses we have on file. If you are a former employee or credentialed clinician and you have not received information by mail by December 22, 2023, please email @email or 1-888-339-0437.
12. I am a current employee or credentialed clinician and I have not received an email with information and an enrollment code for the free credit monitoring service. What should I do?
If you are a current employee of credentialed clinician and you have not yet received this information by email, please email @email or call 1-888-339-0437.
13. I am having technical difficulties redeeming my enrollment code on TransUnion’s website. What should I do?
If you experience any technical difficulties accessing these services, please contact TransUnion at 1-888-228-4939.
14. I was already enrolled in credit monitoring services with TransUnion. Can I still redeem the free two-year credit monitoring services with MGH?
If you are already enrolled in credit monitoring services with TransUnion, you can use the code we provided you to extend your period of coverage. You will need to contact TransUnion to do this. Please contact TransUnion at 1-888-228-4939 for assistance.
15. Will enrolling in the credit monitoring service affect my credit score?
No, enrolling in the credit monitoring service will not affect your credit score. We encourage eligible individuals to enroll in this service to protect themselves.
16. If it is confirmed that patients, donors, learners and volunteers are affected by the incident, will they also be offered free two-year credit monitoring services?
MGH will make further credit monitoring offers if warranted by the type of information exposed, noting that the compromise of medical information is not typically associated with a risk of identity fraud.
17. Besides enrolling in the credit monitoring service, what can employees and credentialed clinicians do to protect themselves and their data?
We recommend enrolling in free two-year credit monitoring services offered by MGH through TransUnion. If you are still concerned, you may consider the following:
-
Contact TransUnion and Equifax, the two primary credit bureaus in Canada, and request a fraud alert be added to your account. A fraud alert is free. It is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. Fraud alerts are proactive, protective measures because they may cause lenders to take extra steps to verify identity. Please note placing a fraud alert on your account may result in transactional delays with lenders. Learn more about fraud alerts.
-
Contact your bank to speak with them about what has happened. Your bank may recommend next steps that you can take.
-
Review the resources available on the Canadian Anti-Fraud Centre’s website.
18. What can employees and credentialed clinicians do to protect themselves after the two-year period that MGH is offering credit monitoring services for?
After your free two-year credit monitoring service offered by MGH expires, you may choose to add or maintain a fraud alert on your accounts with TransUnion and Equifax, Canada’s two primary credit bureaus. A fraud alert is free. It is a statement you can add to your credit report that warns potential lenders that you may be a victim of identity theft. Fraud alerts are proactive, protective measures because they may cause lenders to take extra steps to verify identity. Please note placing a fraud alert on your account may result in transactional delays with lenders. Learn more about fraud alerts.
19. After the two-year period, I would like to continue using the credit monitoring service with TransUnion. Is this possible?
Yes, after the two-year period, you may enroll in TransUnion’s credit monitoring service on their website. You may also contact TransUnion at 1-888-228-4939 for support.
20. What measures is the hospital taking to prevent further data security incidents?
We have already begun making significant improvements to our network security. When our investigation is complete, we will respond to the learnings in a manner that better protects us from these types of data security incidents in the future. In addition, we are continuing to implement proactive measures to safeguard our hospital network and information systems.
21. How can I stay updated about this incident, especially as new information emerges?
We are committed to providing updates to current employees and credentialed clinicians by email and on our employee intranet as we learn more. For all other groups, including former employees and credentialed clinicians, we will share updates through our website, tehn.ca. We encourage you to check back as needed.
22. I have questions and concerns about the incident that are not addressed on this page. Who should I contact?