DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Bolton Walk-In Clinic patient data leak locked down (finally!)

Posted on June 30, 2025 by Dissent

Finally, finally, FINALLY:  exposed patient files from the Bolton Walk-In Clinic in Ontario have been secured. Now that the data is locked down, we can reveal more details about a seriously frustrating data leak that remained unsecured for at least 10 months while the clinic ignored all our notifications and alerts.

It’s a story that started on May 5, 2024, when an independent researcher who prefers to remain anonymous found an unsecured backup with patient records online and noted it for follow-up. On August 4, when the data was still not secured, he contacted DataBreaches about the leak involving 54,000 image files and 877,000 pdf files. The earliest files appeared to be dated 2010, and there were 386.01 GB of data.

On August 6, DataBreaches made her first attempt to notify the clinic. Because they had no email address posted on their website, DataBreaches used their website contact form to send a message with the words “Responsible Disclosure” as part of the subject line.

Getting no reply, DataBreaches called the clinic on August 7, 2024.

In December 2024, DataBreaches publicly revealed that the clinic was still leaking data and hadn’t responded to notifications by this site. In that post, DataBreaches reported what happened on that phone call on August 7, as she reported it at the time to the researcher who had found the leak:

    un******* believable… I had to call Bolton 3 times…. and finally get a person who calls me “honey” and says she doesn’t see any message from yesterday with the subject line “responsible disclosure..” so I interrupt her and told her to get her IT guy and tell them they are leaking patient data and give them my phone number if they can’t figure it out from that message. What a waste of my time…. They had me on hold for 5 minutes just to be sent back to the same person who had no idea what to do in the first call. And they didn’t call me back.

    By December, all I wanted for Christmas was for someone to stand outside the clinic in a Santa suit carrying a sign, “Bolton Walk-In Clinic  is naughty — they are leaking patient data.”

    I probably should have asked for a pony.

    Even Canada’s fledgling Centre for Cyber Security was unable to get the clinic to lock down their backup after they reached out to this site to offer their help after reading the December post. They contacted the RCMP but reported back that despite their efforts, the data were still unsecured.

    Contacting several Canadian law firms whose clients’ medical records were exposed also produced no results.

    And that’s where matters stagnated until recently, when researcher Martin Seeger decided to try to help. As he tells it on infosec.exchange, the following is a timeline of the steps he took:

    • June 3rd, 2025: I reachout to the ISP (Rogers Communications Inc) as the publication of that data is in clear violation of the acceptable use policy of Rogers.
    • June 3rd, 2025: Rogers asks for proof of the claim which is supplied the same day.
    • June 12th, 2025: Contacted the Ontario Provincial Police and asked for an investigation if Canadian law is being violated.
    • June 18th, 2025: Ontario Provincial Police passes the investigation to the Anti-Rackets Branch.
    • June 20th, 2025: Passed the information about the investigation to Rogers Communication.
    • June 21st, 2025: Leak is closed

    DataBreaches has absolutely no idea what the Anti-Rackets branch has to do with a data leak of this kind, but is thrilled that Martin was able to succeed in getting the unsecured data secured.

    You can read Martin’s post and comments on the incident on infosec.exchange. His summary, “A complete and utter failure of IT-Security on the technical and organisational level of the Bolton Walkin Clinic,” seems accurate.

    Next Steps: Take Action

    As a security researcher, Martin notes that his work on this is over as the data are now secured. But as a privacy advocate, DataBreaches believes that this incident should not be considered really over until those affected have been notified and Bolton Walk-In Clinic improves its security and its incident response.

    To accomplish those goals, DataBreaches suggests  current or former patients of the Bolton Walk-In Clinic file a formal complaint with the Information and Privacy Commissioner of Ontario (IPC). You can file a complaint online or via mail. The timeline and information in DataBreaches’s previous post and this post can help you explain how the clinic’s patient data was exposed since at least May 2024, and possibly even much earlier.  The clinic never responded to our notifications, and as far as we know, never notified patients whose files were exposed without any login or password required to access them.

    The IPC should be asked to investigate this incident,  review access logs to determine how many unauthorized IP addresses accessed the data since May 2024, and direct Bolton Walk-In Clinic to notify patients by individual letters. The IPC should also ensure that the clinic has a policy and procedures in place for receiving responsible disclosure alerts and that all staff are trained how to respond to an alert and how to escalate it for investigation and action.

    DataBreaches notes that we have never known who was actually responsible for securing the patient data — whether it was the clinic or some vendor they hired. But ultimately, we hold the clinic accountable for the patient data it collected and was responsible for securing and protecting. 

    If you are or were a patient at Bolton Walk-In Clinic and do file a complaint, please email bolton@databreaches[.]net (without the brackets) to let us know what response you get from the IPC.

     

    Related posts:

    • Bolton Walk-In Clinic in Ontario: lock down your backup already!
    • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
    Category: Health DataNon-U.S.Of Note

    Post navigation

    ← 50 Customers of French Bank Hit by Insider SIM Swap Scam
    Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized →

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    Now more than ever

    "Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

    Search

    Browse by Categories

    Recent Posts

    • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
    • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
    • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
    • Bolton Walk-In Clinic patient data leak locked down (finally!)
    • 50 Customers of French Bank Hit by Insider SIM Swap Scam
    • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
    • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
    • Horizon Healthcare RCM discloses ransomware attack in December
    • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
    • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

    No, You Can’t Buy a Post or an Interview

    This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

    And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

    Want to Get Our RSS Feed?

    Grab it here:

    https://databreaches.net/feed/

    RSS Recent Posts on PogoWasRight.org

    • The Trump administration is building a national citizenship data system
    • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
    • New Jersey Issues Draft Privacy Regulations: The New
    • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
    • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
    • Supreme Court upholds Texas law requiring age verification on porn sites
    • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

    Have a News Tip?

    Email: Tips[at]DataBreaches.net

    Signal: +1 516-776-7756

    Contact Me

    Email: info[at]databreaches.net

    Mastodon: Infosec.Exchange/@PogoWasRight

    Signal: +1 516-776-7756

    DMCA Concern: dmca[at]databreaches.net
    © 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.