Cyber Incident Victim: Homewood Health
Date:
Mar 2021
Location:
Canada
Summary
A Canadian mental health services provider experienced a cyberattack resulting in unauthorized access to sensitive personal information, which was subsequently offered for sale online. The breach exposed unencrypted files containing individuals' full names, dates of birth, contact details, and clinical counseling notes related to employees of multiple organizations, including public agencies and private corporations. The attackers claimed possession of 183 GB of data, with samples indicating compromised records from employee assistance programs. Affected entities spanned governmental and commercial sectors, though the total number of impacted individuals remained undetermined. The incident raised concerns about data protection practices, particularly regarding the storage of sensitive health-related information without encryption prior to the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2021, Homewood Health, a Canadian mental health services provider headquartered in Ontario, experienced a cybersecurity incident involving unauthorized access to its systems. The breach resulted in the theft of sensitive personal information, which subsequently appeared for sale on the dark web and clearnet via the Marketo online auction site by July 2021. Marketo’s listing claimed possession of 183 GB of data, including a publicly accessible sample, and reported 289 bids for the stolen information, though the bid count remained unverified. Homewood Health acknowledged the hack and initiated notifications to affected organizations in British Columbia—including BC Housing, TransLink, and the Provincial Health Services Authority—whose data was potentially compromised. The company did not disclose the total number of impacted individuals or provide details about the attack methodology. DataBreaches.net independently confirmed the exposure of sensitive records not displayed on Marketo’s site, including counseling notes and personal identifiers, but reported that Homewood Health ignored repeated inquiries about the incident’s scope and notification protocols.
Exposed data included unencrypted .doc and Excel files containing detailed contact notes from counseling sessions, with records featuring individuals’ full names, dates of birth, phone numbers, and session summaries. Specific examples involved an employee of Canada Post seeking counseling for their child and a Costco employee receiving personal counseling services. The breach raised concerns about data handling practices, as files remained unsecured despite an operational outage in March 2021 that altered call and record management procedures. DataBreaches.net questioned why sensitive information was not encrypted or properly transferred post-outage and whether Homewood Health would notify U.S.-based clients’ employees, such as a Texas-headquartered company that also did not respond to inquiries. The incident paralleled prior leaks involving counseling service providers, highlighting risks associated with storing highly personal mental health data without adequate safeguards. Homewood Health’s public communications remained limited, with no clarification on remediation efforts or encryption status at the time of reporting.