As predicted, Daixin has leaked the third part of the data they exfiltrated from TransForm and Canadian healthcare entities. DataBreaches reported the first leak when Daixin publicly claimed responsibility for the attack. The second leak followed two days later, and less than one day later, the third tranche dropped.
As with the first two leaks, this latest leak also contains numerous files with internal information and some personnel information, but it also contains a great deal of sensitive patient information and IT-related information.
While no major databases have been leaked (yet), DataBreaches came across a database with discharge data on patients from 2015. There were almost 800 entries for patients where the fields consisted of the patient’s name, date of birth, age, date of admission, date of discharge, their diagnosis, a field labeled CMG, their appointment at TDFHT (Tillsbury District Family Health Team), their discharge status, whether the patient was readmitted in 30 days, the name of the primary care provider, and a field for comments. Yet another spreadsheet contained the same structure, but included 340 rows of data for patients discharged in 2013 and 652 rows for patients discharged in 2014. Not all of these represent unique patients because some patients appear to have been admitted and discharged in more than one calendar year. DataBreaches did a quick search to try to determine if these were real patient data by conducting a google search for named patients whose records had been marked as “deceased” in the spreadsheets. DataBreaches was able to find obituaries for those patients whose names, ages, and Ontario location corresponded to the information in the spreadsheets.
Another patient-related spreadsheet from TDFHT contained more than 14,290 rows, where the data fields included the patient’s first and last names, PHN (personal health number), date of birth, gender, home phone number, and provider name.
DataBreaches also found data related to named patients at Erie Shores Healthcare, Leamington District Memorial Hospital, and other entities.
Even when patient identifying information was not the primary data collected, it appeared in some files such as a survey of patients who received cancer chemotherapy treatment. The survey’s last question was, “Would you like someone from Erie Shores HealthCare or Windsor Regional Cancer Centre to contact you to learn more about receiving chemotherapy treatment at Erie Shores HealthCare?” Some respondents to the question answered “yes” and gave their names and phone numbers.
Not all patient information was part of any organized archive or database. DataBreaches also found one file of more than 500 pages on a single patient. It appeared to be part of a lengthy medical record with scans of handwritten notes in nursing/medication records as well as test results and other reports on the patient. A google search revealed that the named patient passed away in 2020.
While the spreadsheets noted above contained sensitive information such as diagnoses, other files in the data leak were even more sensitive. DataBreaches found clinical case reviews with detailed personal and medical information on patients, as well as even more sensitive M&M reviews. M&M reviews are “Morbidity & Mortality” reviews. They are standard protocols in hospitals and health care facilities where specific cases are reviewed in a setting that it designed to remain secure and confidential so that staff can share information about a case frankly and freely and learn from it. If healthcare professionals cannot trust that hospitals and facilities will keep these M&M files secure from data leaks and breaches, will they talk freely and frankly about any errors that might have been made in a patient’s care so that they can all learn from it?
The M&M reviews were not the only sensitive files DataBreaches spotted. There were also files relating to patient complaints and communications about complaints about named personnel’s handling of a patient or case. As with the M&M reports, there was no password protection on any of the files DataBreaches skimmed.
The above is not intended to be a comprehensive inventory or description of the third leak, but it is intended to remind the public what can happen when threat actors can gain access to a network and why entities need to really evaluate whether they have adequate security for sensitive files.
There is still one part of the data leak that Daixin has not yet dumped — databases. DataBreaches will continue monitoring this incident. DataBreaches does not know whether Canadian or provincial law requires individual notification of patients whose personal and health information have been leaked or breached, but if it does, these entities have a ton of notifying to do.