Ontario Home-Care Data Breach Leaves 200,000 Patients Exposed After Ransomware Attack

A ransomware attack on a medical supply company contracted by the Ontario government exposed the personal health information of approximately 200,000 home-care patients, triggering weeks of confusion and frustration among provincial officials trying to determine the scale of the breach.

Internal emails and documents obtained through freedom of information requests reveal that government officials struggled for months to obtain clear answers from Ontario Medical Supply (OMS) after its systems were compromised earlier in 2025.

The cyberattack was first detected in mid-April, when OMS informed Ontario Health atHome the provincial agency responsible for coordinating home-care services that its network had been breached and that a large portion of its servers had been locked by ransomware. Initially, the company suggested the threat to patient data was minimal.

However, as investigations continued, the situation appeared far more serious.

According to internal reports, the ransomware likely infiltrated OMS servers in mid-March 2025 and remained undetected for nearly a month. The malware activated on April 13, encrypting critical systems and demanding payment in exchange for restoring access.

The day after the attack, OMS notified Ontario Health atHome that it had experienced a security breach. Early assessments suggested the risk to health-care data was low, with company representatives saying existing safeguards limited the potential impact.

But provincial officials soon began requesting detailed information about the incident, including what data might have been accessed and which patients could be affected.

For more than two weeks following the attack, neither OMS nor government officials believed personal health records had been taken. That changed in early May.

On May 6, OMS informed Ontario Health atHome that patient information may have been removed from its systems. By May 21, the company confirmed that health-related data had indeed been exfiltrated.

Despite the confirmation, officials still struggled to determine the number of patients affected.

In a message sent May 23, the company’s chief executive estimated that roughly 200,000 individuals may have had basic personal information compromised, but said the company was unlikely to produce a more precise number.

Ontario Health atHome pushed back, repeatedly asking OMS for a breakdown of affected patients and details about the type of data that had been accessed.

A legal letter sent by the agency’s lawyers in June expressed growing frustration with the company’s response. The letter stated that despite multiple requests, OMS had failed to provide a detailed list of affected individuals or clarify exactly what personal health information had been exposed.

“We really need to understand our actual exposure,” an agency representative wrote in a June 9 email, emphasizing the urgency of identifying impacted patients.

Following the breach, OMS was temporarily disconnected from Ontario Health atHome’s digital systems while cybersecurity teams investigated the incident. The disconnection created tensions between the company and government officials.

In an email sent June 11, the CEO of OMS complained that the continued separation from government systems was interfering with patient care and preventing the company from reporting supply shortages and other operational issues.

Provincial officials maintained that reconnection would only happen once security concerns were addressed.

The cyberattack remained undisclosed publicly until late June 2025, when Ontario Liberal Member of Provincial Parliament Adil Shamji raised concerns about the incident.

A subsequent government report indicated that OMS ultimately paid the ransom demanded by the attackers in order to regain access to its systems, although the amount has not been publicly disclosed.

To date, the Ontario government has not released a detailed breakdown of the affected patients or the exact types of data involved. The Ministry of Health also declined to answer several questions regarding the breach.

Ontario Medical Supply did not respond to media inquiries before publication.

The incident highlights the growing cybersecurity risks facing health-care systems, where large volumes of sensitive patient information are often shared between government agencies and private service providers.