Finally, finally, FINALLY: exposed patient files from the Bolton Walk-In Clinic in Ontario have been secured. Now that the data is locked down, we can reveal more details about a seriously frustrating data leak that remained unsecured for at least 10 months while the clinic ignored all our notifications and alerts.
It’s a story that started on May 5, 2024, when an independent researcher who prefers to remain anonymous found an unsecured backup with patient records online and noted it for follow-up. On August 4, when the data was still not secured, he contacted DataBreaches about the leak involving 54,000 image files and 877,000 pdf files. The earliest files appeared to be dated 2010, and there were 386.01 GB of data.
On August 6, DataBreaches made her first attempt to notify the clinic. Because they had no email address posted on their website, DataBreaches used their website contact form to send a message with the words “Responsible Disclosure” as part of the subject line.
Getting no reply, DataBreaches called the clinic on August 7, 2024.
In December 2024, DataBreaches publicly revealed that the clinic was still leaking data and hadn’t responded to notifications by this site. In that post, DataBreaches reported what happened on that phone call on August 7, as she reported it at the time to the researcher who had found the leak:
un******* believable… I had to call Bolton 3 times…. and finally get a person who calls me “honey” and says she doesn’t see any message from yesterday with the subject line “responsible disclosure..” so I interrupt her and told her to get her IT guy and tell them they are leaking patient data and give them my phone number if they can’t figure it out from that message. What a waste of my time…. They had me on hold for 5 minutes just to be sent back to the same person who had no idea what to do in the first call. And they didn’t call me back.
By December, all I wanted for Christmas was for someone to stand outside the clinic in a Santa suit carrying a sign, “Bolton Walk-In Clinic is naughty — they are leaking patient data.”
I probably should have asked for a pony.
Even Canada’s fledgling Centre for Cyber Security was unable to get the clinic to lock down their backup after they reached out to this site to offer their help after reading the December post. They contacted the RCMP but reported back that despite their efforts, the data were still unsecured.
Contacting several Canadian law firms whose clients’ medical records were exposed also produced no results.
And that’s where matters stagnated until recently, when researcher Martin Seeger decided to try to help. As he tells it on infosec.exchange, the following is a timeline of the steps he took:
- June 3rd, 2025: I reachout to the ISP (Rogers Communications Inc) as the publication of that data is in clear violation of the acceptable use policy of Rogers.
- June 3rd, 2025: Rogers asks for proof of the claim which is supplied the same day.
- June 12th, 2025: Contacted the Ontario Provincial Police and asked for an investigation if Canadian law is being violated.
- June 18th, 2025: Ontario Provincial Police passes the investigation to the Anti-Rackets Branch.
- June 20th, 2025: Passed the information about the investigation to Rogers Communication.
- June 21st, 2025: Leak is closed
DataBreaches has absolutely no idea what the Anti-Rackets branch has to do with a data leak of this kind, but is thrilled that Martin was able to succeed in getting the unsecured data secured.
You can read Martin’s post and comments on the incident on infosec.exchange. His summary, “A complete and utter failure of IT-Security on the technical and organisational level of the Bolton Walkin Clinic,” seems accurate.
Next Steps: Take Action
As a security researcher, Martin notes that his work on this is over as the data are now secured. But as a privacy advocate, DataBreaches believes that this incident should not be considered really over until those affected have been notified and Bolton Walk-In Clinic improves its security and its incident response.
To accomplish those goals, DataBreaches suggests current or former patients of the Bolton Walk-In Clinic file a formal complaint with the Information and Privacy Commissioner of Ontario (IPC). You can file a complaint online or via mail. The timeline and information in DataBreaches’s previous post and this post can help you explain how the clinic’s patient data was exposed since at least May 2024, and possibly even much earlier. The clinic never responded to our notifications, and as far as we know, never notified patients whose files were exposed without any login or password required to access them.
The IPC should be asked to investigate this incident, review access logs to determine how many unauthorized IP addresses accessed the data since May 2024, and direct Bolton Walk-In Clinic to notify patients by individual letters. The IPC should also ensure that the clinic has a policy and procedures in place for receiving responsible disclosure alerts and that all staff are trained how to respond to an alert and how to escalate it for investigation and action.
DataBreaches notes that we have never known who was actually responsible for securing the patient data — whether it was the clinic or some vendor they hired. But ultimately, we hold the clinic accountable for the patient data it collected and was responsible for securing and protecting.
If you are or were a patient at Bolton Walk-In Clinic and do file a complaint, please email bolton@databreaches[.]net (without the brackets) to let us know what response you get from the IPC.