Cyber Incident Victim: Lakeridge Health
Date:
May 2017
Location:
Canada
Summary
A ransomware attack impacted a Canadian healthcare organization, causing unexpected computer downtime across multiple hospital sites. The institution's antivirus systems contained the infection, preventing serious network compromise or data loss, with patient care remaining unaffected. Temporary disconnection from the internet as part of emergency protocols briefly interrupted access to patient records before most systems were restored within a day. Provincial health authorities activated technical support and advised all hospitals to implement a critical Microsoft security patch previously issued months earlier. While this organization had not installed the update prior to the incident, others in the region that had applied the patch avoided disruption. The global attack exploited a known Windows vulnerability, though Canadian entities largely escaped severe consequences compared to international counterparts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 12, 2017, Lakeridge Health in Oshawa, Ontario, experienced unexpected computer downtime across its five hospital sites due to a global ransomware cyberattack. The attack, part of a widespread malware campaign affecting nearly 100 countries, exploited a vulnerability in Microsoft Windows systems that had been identified by the U.S. National Security Agency and later leaked. Lakeridge Health’s antivirus systems detected and disabled the ransomware before it could seriously compromise the network, preventing data loss or health information breaches. Patient care remained unaffected throughout the incident. Upon detecting the threat, the hospital activated a "Code Grey" emergency protocol, which involved disconnecting from the internet to contain the attack. This action temporarily disrupted access to patient records but prevented further system infiltration. By Saturday afternoon, most hospital operations had resumed, though IT teams continued working to optimize performance in emergency and critical care departments. Connection to patient records was restored during the response, though system performance remained suboptimal in some areas. No patient diversions or ambulance rerouting occurred.
The Ontario Ministry of Health responded by activating its emergency management protocols, establishing a command center in Toronto and a dedicated call center to coordinate technical support for hospitals. Ministry officials confirmed Lakeridge Health had not installed a critical Microsoft security patch released in March 2017, which other Ontario hospitals like University Health Network, St. Michael’s Hospital, and Sunnybrook Health Sciences Centre had applied, leaving their systems unaffected. The ministry disseminated security advisories to all provincial hospitals, urging immediate installation of the patch to mitigate ransomware risks. Lakeridge Health initiated a full review of the incident to identify root causes but prioritized immediate system restoration during the crisis. Globally, the attack disrupted Britain’s National Health Service severely, but in Ontario, only Lakeridge reported significant operational impacts. Previous ransomware incidents at Ottawa Hospital and Norfolk General Hospital in 2016 had affected fewer systems. Public Safety Canada acknowledged awareness of the attacks but did not confirm Canadian impacts beyond Lakeridge. The hospital maintained normal operations throughout the recovery period, with no ransom payment confirmed or requested from Ontario healthcare institutions.