Public notice of data breach
April 28, 2023
Today, Queensway Carleton Hospital (QCH) is issuing a public notice of an incident involving unauthorized access to patient data. Full details can be found at www.qch.on.ca/publicnotice.
Since March 2021, QCH contracted with Aetonix Systems Inc (Aetonix), a Canadian software company, to use their aTouchAway® communication cloud-based platform. In early March 2023, Aetonix discovered that an unauthorized third party gained access to an internal test environment where personal health information had been temporarily stored.
On learning of the incident, QCH immediately took action, requesting a report on the details of the incident and the scope of the data impacted. We have requested and received assurances that Aetonix secured its environment by deploying specialized tools to ensure no further unauthorized access could occur. We halted use of the platform.
QCH had been using the Aetonix platform to provide virtual communication services, care pathways, and remote patient monitoring. Additionally, some patient registration information from the period between March 2021 and March 2023 was included and may have been accessed by the unauthorized third party.
Patient data that may have been impacted include: patient ID numbers, patient visit ID (Account/Encounter number), patient name, gender, date of birth, marital status, mother tongue, home address and postal code, phone number, email address, OHIP number and version, insurance policy number, health care providers, scheduled surgical appointments, past medical history, and procedure description.
It is important to note that the QCH Electronic Medical Record and Patient Portal were not impacted. No credit card, financial, or banking information was included. If people visited a COVID-19 vaccine clinic that was affiliated with QCH, their data was only uploaded to Ministry of Health servers and was not affected by this incident.
QCH takes the privacy and security of personal information very seriously, and we sincerely regret that this incident occurred. We are sending individual letters to the affected patients and have reported the breach to the Office of the Information and Privacy Commissioner of Ontario (“IPC”), in accordance with best practices and with the Personal Health Information Protection Act (“PHIPA”). To provide additional assurance to patients, QCH has also retained the assistance of TransUnion Canada to offer one year of credit monitoring services at no cost to those patients who have been impacted.
For further details including a Question and Answer section, please visit www.qch.on.ca/publicnotice.