Cyber Incident Victim: Ontario Medical Supply
Date:
Mar 2025
Location:
Canada
Summary
Ontario Medical Supplyexperienced a cybersecurity incident that disrupted its systems. The vendor notified Ontario Health atHome about the outage and potential breach, and later confirmed that patient information such as names, contact details and medical supply orders had been compromised. Ontario Health atHome informed the Information and Privacy Commissioner weeks after the vendor's confirmation, and patients were notified only after further delay. The exposed data raised concerns about potential misuse for identity theft, phishing and blackmail.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 17, Ontario Medical Supply experienced a cybersecurity incident that later affected its information systems and operations. On April 14, the company notified Ontario Health atHome that it was suffering system outages and a potential cyberattack impacting its information system and operations, prompting the agency to begin an investigation. Ontario Health atHome stated that, on or around April 14, OMS had discovered that its system had suffered some kind of cyber breach, though OMS later claimed it was unaware of the incident because its systems did not go down until mid‑April. The agency’s spokesperson confirmed that the notification from OMS arrived on April 14, marking the first official awareness of the cybersecurity issue within the provincial home‑care coordination body.
On May 21, OMS confirmed to Ontario Health atHome that the breach had compromised patient information, specifically names, contact details and the medical supplies or equipment ordered by those patients. Nine days later, on May 30, Ontario Health atHome notified the Information and Privacy Commissioner of the breach, as required by law, despite having been aware of the potential incident since April 14. The agency did not inform the public or affected patients until June 27, when Liberal MPP Adil Shamji disclosed the cyberattack, prompting the Ministry of Health to acknowledge the breach publicly. Shamji criticized the agency for what he described as incompetence and deception due to the lengthy delay between the initial awareness and patient notification.
Shamji further stated that the information believed to have been disclosed included patients’ diagnoses, addresses, names, email addresses and prescription data, noting that such details could be used for blackmail, phishing, identity fraud or identity theft. The timeline outlined in the report shows the cybersecurity incident began in March, OMS’ systems failed and the agency was informed in April, patient data confirmation came in May, regulator notification followed in May, and patient notification occurred in late June. No additional technical details about the attacker’s methods, containment measures or specific system impacts are provided in the source material.