Cyber Incident Victim: Copeman Healthcare
Date:
Aug 2020
Location:
Canada
Summary
Two affiliated medical service providers, Medisys Health Group and Copeman Healthcare, experienced a security breach resulting in unauthorized access to approximately 60,000 client files containing personal information. The organizations paid an unspecified ransom to retrieve the compromised data after detecting the incident. Privacy officials were notified within four days of discovery, followed by customer notifications the subsequent week.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 31, 2020, Medisys Health Group and its affiliate Copeman Healthcare, both operating as Telus Health medical service providers, detected a security breach involving unauthorized access to client files. The breach compromised personal information belonging to approximately 60,000 individuals across both organizations. The companies engaged with the attackers and paid an unspecified ransom to retrieve the accessed data, though the exact payment terms and negotiation timeline were not disclosed. Privacy officials were formally notified of the incident on September 4, four days after the initial discovery, initiating internal response protocols. Customer notifications began the following week, though the specific communication methods and detailed contents of those notices were not elaborated in public reports. The breach did not disrupt ongoing clinical operations, as no service interruptions or system outages were reported in conjunction with the incident.
The incident impacted a substantial volume of sensitive client records, though the precise types of compromised data (such as medical histories, contact details, or financial information) were not specified in available disclosures. Both Medisys and Copeman Healthcare coordinated their response efforts, leveraging their shared affiliation with Telus Health, but did not publicly identify the threat actors or their intrusion methods. The payment of a ransom confirmed the attackers’ possession of data and the organizations’ prioritization of data recovery, though no evidence emerged regarding whether the attackers deleted the information post-payment. The delayed notification to privacy officials—occurring four days post-discovery—reflected a brief internal assessment period before regulatory escalation. Customer notifications proceeded without explicit reports of complaints or secondary misuse of data at the time of disclosure, though the long-term consequences for affected individuals remained unquantified in initial reports.