Cyber Incident Victim: CIUSSS de l'Est-de-l'Île-de-Montréal

The CIUSSS de l'Est-de-l'Île-de-Montréal, a healthcare and social services network in Montreal, experienced a cybersecurity incident around May 31, 2021, involving unauthorized access to its systems. Attackers exfiltrated personal data belonging to approximately 2,300 individuals, including both patients and employees. The compromised information included names, addresses, social insurance numbers, and medical details, creating significant privacy risks. The breach was discovered during routine security monitoring, prompting immediate containment measures. CIUSSS took affected systems offline to prevent further data loss and launched a forensic investigation with third-party cybersecurity experts. Authorities, including Quebec's access-to-information commission and law enforcement, were notified as required by breach disclosure regulations.

The incident caused operational disruptions to patient services and administrative functions during the containment phase. CIUSSS established a dedicated support line for affected individuals and offered credit monitoring services to mitigate identity theft risks. Internal communications emphasized staff vigilance against phishing attempts leveraging stolen data. No ransomware deployment or public extortion demands were explicitly confirmed in official statements, though the breach’s scope suggested potential financial motives. Recovery efforts focused on restoring secure system access while auditing network vulnerabilities. The organization faced regulatory scrutiny regarding data protection practices, with particular attention to safeguards for sensitive health information. Service delivery resumed gradually following security validation, though long-term reputational and compliance impacts persisted.