Cyber Incident Victim: Queensway Carleton Hospital

The Queensway Carleton Hospital data breach, discovered in March 2023, involved unauthorized access to sensitive patient information through a third-party software provider. Aetonix Systems Inc., an Ottawa-based Canadian software company, maintained an internal test environment where personal health data of hospital patients was temporarily stored. The hospital determined that an unauthorized third party potentially accessed this environment, compromising health records, personal details, home addresses, and Ontario Health Insurance Plan (OHIP) numbers. The breach affected approximately 100,000 current and former patients of the hospital. Queensway Carleton Hospital immediately ceased using the Aetonix platform upon identifying the incident, though the exact duration of unauthorized access or specific intrusion methods were not disclosed in public notifications. No evidence suggested broader hospital systems beyond the third-party test environment were compromised.

The hospital initiated its formal response by issuing public breach notices on April 28, 2023, six weeks after discovering the incident. Affected patients received direct individual communications detailing the scope of exposed information. Hospital administrators concurrently reported the breach to Ontario's Information and Privacy Commissioner, fulfilling provincial regulatory obligations. The disclosure confirmed that no financial data or banking information was involved in the breach, though stolen OHIP numbers and addresses created significant identity theft risks for victims. No ransomware demands or explicit threat actor claims were referenced in the hospital's statements. The incident highlighted vulnerabilities associated with third-party vendor systems storing sensitive health data, though specific corrective actions taken by either the hospital or Aetonix beyond terminating platform access remained undisclosed in available reports.