Ontario Health Ministry Knew About Cyber Breach Weeks Before Public Was Warned, Documents Reveal

Senior political staff inside Ontario’s Health Ministry were privately briefed about a major data breach affecting hundreds of thousands of home care patients more than a month before any public disclosure was made even as the ministry publicly condemned the agency involved for failing to act swiftly.

That’s the picture emerging from new documents obtained by Global News, which contradict the government’s carefully maintained position that officials moved promptly once they became aware of the situation.

The trouble began quietly. In mid-March, ransomware crept into the computer systems of Ontario Medical Supply, a vendor that serves Ontario Health atHome the province’s primary home care coordination agency. The malicious payload was deployed on April 13. The following day, Ontario Medical Supply flagged what it called a “system outage” to Ontario Health atHome, though the full scope of what had happened remained unclear for weeks.

It wasn’t until May 21 that the vendor could formally confirm what many had feared: patient data had been compromised.

What happened next is where the government’s story starts to unravel.

Within 48 hours of that confirmation on May 23 a calendar invitation went out to six senior staff in the office of Health Minister Sylvia Jones, including her chief of staff. The deputy minister, the most powerful civil servant in the Ministry of Health, was also included. The purpose of the meeting, scheduled for May 30, was described plainly: a briefing on “impacts and next steps” following the Ontario Medical Supply outage.

That means the minister’s inner circle had been looped in by late May at the latest. The public, however, would not hear a word about it for more than a month.

What makes this revelation particularly striking is the tone the Ministry of Health struck when the breach eventually did become public thanks largely to pressure from Ontario Liberal MPP Adil Shamji, who raised the alarm last June in the legislature.

The ministry issued a pointed statement declaring that all service providers must “uphold the highest standards of patient care, security and confidence,” and that vendors are expected to “take immediate steps to identify when there has been a cyber breach and to notify the Ministry of Health immediately.” It called the failure to follow that process “unacceptable.”

Notably, that statement was issued three months after the ransomware attack had already taken place — and weeks after political staff had already been briefed in a private meeting.

MPP Shamji was blunt in his assessment of what the documents reveal.

“It’s astonishing to think that they were aware personal health information for hundreds of thousands of Ontario patients may have been compromised and they sat on that,” he said. “A government cannot lead, they cannot earn trust, they cannot solve problems if it is constantly running from the truth.”

He added that the minister has consistently claimed she acted as soon as she had information. “We now have incontrovertible evidence that the Ministry of Health actually did know,” he said.

When Global News pressed the Ministry of Health on why patients weren’t notified sooner, officials did not answer the question directly. A spokesperson instead issued a statement outlining the sequence of events, noting that Ontario Health atHome “alerted the Information and Privacy Commissioner (IPC) and diligently followed the IPC’s advice in the process of informing those whose health information had been breached.”

The response makes no mention of the May 30 briefing, nor does it explain why the ministry’s senior political and bureaucratic leadership was informed weeks before the public.

The Ontario Medical Supply breach is not just a story about delayed disclosure. Earlier documents obtained by Global News confirmed that the attack was ransomware and suggested a ransom was paid to the hackers responsible.

Shamji did not hold back in his broader assessment of the agency at the centre of the storm. “This is an agency that has been plagued with problems almost from the moment of its conception,” he said. “There have been massive challenges in home care, and that’s putting it lightly.”

For patients whose private health information sat in the hands of hackers while government officials held closed-door briefings, the wait for real accountability continues.