Cyber Incident Victim: Michael Garron Hospital
Date:
Oct 2023
Location:
Canada
Summary
Michael Garron Hospital experienced a data security incident prompting an investigation with third-party experts, leading to the activation of a Code Grey to coordinate response efforts while maintaining normal clinical operations without disruption to patient care. The investigation confirmed unauthorized exposure of patient, staff, clinician and donor data, though no compromise of core health information systems occurred; credit monitoring services were offered to affected personnel as a precaution. Authorities including law enforcement and privacy regulators were notified, with the hospital clarifying no connection to unrelated cyberattacks targeting other regional healthcare facilities sharing a different IT provider.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Michael Garron Hospital (MGH) in Toronto was made aware of a data security incident on October 23, 2023, prompting an immediate investigation supported by third-party experts. The hospital activated a Code Grey on October 26 to coordinate resources, minimize operational disruption, and prepare downtime procedures for potential large-scale IT system failures, though no clinical applications or patient care services were initially impacted. Initial statements emphasized proactive measures to safeguard data and information systems while maintaining normal hospital operations. By October 30, MGH confirmed the exposure of patient, staff, credentialed clinician, and donor data but found no evidence of compromise to its patient health information database or connection to a separate cyberattack affecting five southwestern Ontario hospitals that shared the IT provider TransForm. The hospital transitioned out of Code Grey by declaring an "All Clear" after confirming no disruptions to clinical systems, though the broader investigation into data exposure continued.
MGH engaged third-party specialists to assess the scope of the breach and identify affected individuals, committing to notify them in accordance with legal requirements. As a precaution, the hospital offered two years of free credit monitoring to staff and credentialed clinicians to detect potential identity fraud. It reported the incident to the Ontario Information and Privacy Commissioner and collaborated with government agencies and law enforcement. Throughout the response, MGH reiterated that patient care remained unaffected and the hospital was safe for services, directing the public to a dedicated FAQ page for updates. The investigation remained ongoing with no confirmed timeline for completion, reflecting the complexity of determining the full extent of data exposure. MGH emphasized transparency in providing further updates as findings emerged, while acknowledging the support of sector partners in managing the incident.