Cyber Incident Victim: College of Family Physicians of Canada

On or around February 11, 2020, the College of Family Physicians of Canada (CFPC) experienced a phishing attack that targeted its 38,000 members nationwide. The incident began when attackers compromised a CFPC email account hosted by a third-party service provider, using it to send fraudulent emails to physicians. These emails contained requests to click malicious links and pay large sums of money, with at least one Manitoba-based physician, Dr. Michael Hochman, receiving two such messages within a ten-minute interval on the afternoon of February 11. The CFPC confirmed the account compromise in a member update on February 6, 2020, and issued an apology email to affected parties by February 10. Initial communications from the college indicated no confirmed reports of members clicking the links, though the total number of recipients and potential victims remained undetermined.

The CFPC responded by launching an investigation involving retained legal counsel and a cybersecurity firm, though operational details were withheld due to the ongoing nature of the probe. Cybersecurity consultant Eddie Phillips contextualized the attack as part of a widespread $1.6 trillion phishing industry, noting that 90% of privacy breaches stem from such social engineering tactics. The incident raised concerns among physicians about vulnerabilities in digital systems storing sensitive personal information, despite security measures like sophisticated passwords. While the attack did not disrupt CFPC’s core functions of setting training standards or certification processes, it exposed risks associated with third-party email hosting and underscored the persistent threat of financially motivated phishing campaigns targeting trusted institutional communications. The college maintained member updates throughout the response phase but did not disclose remediation measures or final breach statistics in available reporting.