Cyber Incident Victim: St. Michael's Hospital

In September 2020, Unity Health Toronto, a network of Catholic hospitals including St. Michael’s Hospital, disclosed a data breach impacting approximately 150 patients. The incident stemmed from unauthorized access to transcribed medical records handled by an external company contracted to process clinical notes dictated by St. Michael’s physicians. According to a September 30 notification letter issued by Unity Health’s privacy office, a former employee of this third-party transcription service stole patient medical reports after being terminated from their position. The perpetrator allegedly used the stolen data in an attempt to extort money from their former employer, leveraging the sensitive health information as part of this scheme. The breach did not involve direct infiltration of St. Michael’s Hospital systems but rather exploited the compromised credentials or access privileges of the transcription company employee.

Unity Health Toronto initiated its response upon being notified by the third-party vendor about the theft and extortion attempt. The hospital network conducted an internal review to identify affected patients and determine the scope of exposed information, which included clinical notes containing personal health details. Notification letters were sent to all impacted individuals on September 30, 2020, advising them of potential risks and recommending vigilance against misuse of their medical data. No evidence suggested the stolen information was disseminated beyond the extortion attempt or used fraudulently against patients. The hospital emphasized that its own systems remained secure and reiterated its reliance on contractual obligations with vendors to safeguard patient data, though it did not disclose the transcription company’s identity or specific security measures failed in the incident. Legal authorities were engaged to address the extortion scheme, but outcomes of any investigations or prosecutions were not detailed in public disclosures.