Cyber Incident Victim: Saskatoon Obstetrics and Gynecology Clinic

A ransomware attack compromised the Saskatoon Obstetric and Gynecologic Consultants clinic in late December 2020, initiated when a staff member opened a malicious email attachment on a workstation. This action enabled threat actors to deploy ransomware, encrypting systems and exfiltrating sensitive patient data. The breach remained undisclosed publicly until Saskatchewan’s Privacy Commissioner, Ronald Kruzeniski, published an investigative report in September 2022, nearly two years after the incident. The attackers gained access to personal health information (PHI) belonging to approximately 20,000 patients, including sensitive medical records typical of obstetrics and gynecology practices. No specific details about ransom demands, payment, or data deletion guarantees were disclosed in the Commissioner’s report. The clinic’s operational disruptions and downtime duration were not quantified in available sources.

The Privacy Commissioner’s report confirmed the attack vector as a phishing email with a malicious attachment, emphasizing human error as the initial intrusion point. Kruzeniski’s office investigated the breach under provincial health privacy legislation but did not cite specific penalties or corrective actions imposed on the clinic. The compromised data included identifiable patient information tied to reproductive health services, elevating risks of medical identity theft or extortion. No evidence suggested patient data was publicly leaked or misused as of the report’s publication. The clinic’s cybersecurity measures prior to the attack, as well as its incident response timeline for containment and recovery, were not detailed in the report or subsequent media coverage. The 22-month gap between the breach and its public notification via the Commissioner’s report indicated prolonged investigation or internal assessment periods.