The Medisys Health Group and its affiliate Copeman Healthcare have been hit by a ransomware attack, and have been forced to pay the ransom in order to retrieve the stolen data of some 60,000 clients.
The healthcare provider said that it first detected the cyberattack on its systems on August 31. Medisys also said that it informed privacy officials on September 04, and began notifying customers of the breach last week.
According to Medisys, the breach affected about 5% of its clients – about 60,000. The hackers responsible for the attack stole demographic information – clients’ ages, addresses, and even some personal health numbers – and then held the data at ransom.
Both Medisys and Copeman announced on their respective websites that their security consultants paid the ransom and confirmed that the malicious actors did not tamper with the data.
Bloomberg reported that the affected Medisys clients are being offered five years of complimentary identity theft protection from a commercial provider.
“We apologize for any inconvenience and we want to assure our clients that we do not believe there is cause for concern,” a notice on Medisys’ website said.
The Office of the Privacy Commission said in an email statement that it is maintaining communication with telecom company Telus, which owns Medisys.
“Given the potential seriousness of the breach, we are seeking more information in order to determine next steps,” said Office of the Privacy Commissioner of Canada manager of strategic communications Valerie Lawton.