Cyber Incident Victim: Ordre des infirmières et infirmiers du Québec
Date:
Apr 2024
Location:
Canada
Summary
The Ordre des infirmières et infirmiers du Québec experienced a cybersecurity incident involving unauthorized third-party access, resulting in the theft of personal data belonging to approximately 80,000 members, with some files circulating on the dark web. The organization confirmed the breach but has not yet determined the full scope of compromised information or directly notified affected individuals, leading to widespread concern among members about transparency and data protection. Services were disrupted, with offices closed to visitors, intermittent phone access, and a temporary shift to virtual operations while experts investigate, recover data, and implement security measures to restore systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 19, 2024, the Ordre des infirmières et infirmiers du Québec (OIIQ) detected irregular activity in its information systems, confirming it had been targeted by an unauthorized third-party cybersecurity incident. The organization, representing approximately 80,000 nursing professionals, immediately initiated an investigation with cybersecurity experts to secure its infrastructure and assess the breach. By April 23, the OIIQ acknowledged that a sample of stolen files had appeared on the dark web, though it could not yet specify which personal data of members was compromised or the full extent of the data exposure. Members were not formally notified of the ransomware attack until the week following the initial intrusion, creating significant anxiety among the nursing workforce. Many expressed frustration over the lack of transparency regarding their personal data risks, with some confirming proactive measures like credit card freezes despite receiving no direct guidance from the OIIQ. Corine Cadorette, an Estrie-based nurse, reported repeated unsuccessful attempts to contact the organization via email for clarification on potential data exposure.
The OIIQ deployed a business continuity plan to maintain public protection and service delivery while restricting physical access to its offices, operating solely through virtual channels. Its telephone services functioned intermittently, with full website restoration projected within days following the attack. Cybersecurity personnel worked to recover circulated files and analyze their contents, pledging to contact affected individuals promptly while adhering to regulatory obligations. Members voiced concerns over insufficient protective measures, with approximately 30,000 nurses in a Facebook group reporting no personalized notifications about their data status weeks post-incident. Operational disruptions persisted as the organization prioritized system security and forensic analysis, directing all non-urgent inquiries to a designated email address ([email protected]) amid limited communication capacity.