Important update Feb 2, 2024
CIUSSS West-Central Montreal has been informed that the eDocList incident detailed below, which was initially perceived to be a data-loss event, has now been confirmed as a cyber-intrusion. The company that runs the eDocList site reports that it was informed that its web-hosting service was the victim of ransomware. The CIUSSS Cybersecurity team has informed the Centre opérationnel de cyberdéfense de la santé, who has been actively monitoring the situation. CIUSSS West-Central Montreal continues to investigate the incident, in collaboration with MSSS officials. All other information provided below prior to this update remains accurate, including the measures the CIUSSS is taking to mitigate risks, as well as steps users can take to protect their information.
CIUSSS West-Central Montreal has been informed of a data loss suffered by eDocList, a third-party site that has been in use by physicians and residents at the Jewish General Hospital since 2012. The site, which existed independently from CIUSSS servers and independently from user records, was used as a clinical tool to facilitate the safe continuity of care of hospitalized patients. The incident occurred on November 19, 2023. There is currently no conclusive evidence that any patient data has been improperly accessed or stolen or that the incident was caused by an external threat.
Personal information potentially covered by the incident
With backups and logs reportedly destroyed as part of this incident, it is impossible to know which patients, if any, are potentially impacted by the data loss. It is also impossible to know what specific information is covered by the incident, but could include:
- first and last name
- medical record number (MRN)
- health insurance (RAMQ) number
- birth date
- information related to admission (i.e., status, reason, area of care)
- information relevant to ensuring continuity of care during shift changes
What is the CIUSSS doing to mitigate risks?
As soon as CIUSSS West-Central Montreal was informed of the incident, immediate action was taken to block access to the eDocList platform, which is no longer in use by residents and physicians practicing in the CIUSSS. As the investigation continues, the CIUSSS continues to work with Ministry of Health and Social Services (MSSS) officials to take proactive steps toward protecting patient information. This includes initiating the development of a replacement tool on the MSSS-secured Microsoft (Office365) environment. In addition, we are collaborating with the Centre opérationnel de cyberdéfense de la santé to actively monitor the situation and ensure prompt cybersecurity response if necessary. An independent firm has also been hired by eDocList to investigate the incident.
How can I protect my personal information?
Please note that CIUSSS West-Central Montreal will not contact anyone directly on this matter. With that in mind, it is always important to remain vigilant in order to protect your personal information. If you receive a suspicious or unexpected call, email or text message, never share details, such as credit card numbers, Social Insurance Number, RAMQ number, etc.
For more helpful tips on how to protect your personal information, please visit: https://www.priv.gc.ca/en/privacy-topics/identities/identity-theft/guide_idt/.
If you have any questions directly related to this incident, please email email@example.com and someone from our team will get back to you.
Thank you for your collaboration and understanding.