The detailed medical histories and contact information of possibly tens of thousands of home-care patients in Ontario are allegedly being held for ransom by thieves who recently raided the computer systems of a health-care provider.

CarePartners, which provides home medical care services on behalf of the Ontario government, announced last month that it had been breached. It said only that personal health and financial information of patients had been "inappropriately accessed," and did not elaborate further.

However, a group claiming responsibility for the breach recently contacted CBC News and provided a sample of the data it claims to have accessed, shedding new light on the extent of the breach.

The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.

Another document appears to contain more than 140 active patient credit card numbers and expiry dates, many with security codes.

The attackers claimed the sample was a subset of hundreds of thousands of patient records and related materials in their possession dating back to 2010.

More news from CBC

"We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online," they told CBC News.

CarePartners did not answer questions about the ransom, and it is not clear if or when the data will be posted online.

Forensic investigation underway

Under Ontario's Personal Health Information Protection Act, health-care providers are required to "take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information" and ensure that health records are retained securely.

Violations of the act can lead to prosecution. If found guilty, companies can be fined up to $500,000, while individuals may be fined up to $100,000.

In a statement, CarePartners said it was contacted by the attackers via email on June 11, with an attachment later verified by the company to contain an authentic sample of patient and employee data. A week later, on June 18, CarePartners released a news release notifying patients of the breach.

The sample of employee information viewed by CBC News contained T4 tax slips, social insurance numbers, bank account details and plaintext passwords. CarePartners said it notified affected employees directly.

The company says its forensic investigation has so far identified 627 patient files and 886 employee records that were accessed. But the sample provided to CBC News appears to contain names and contact information for more than 80,000 patients alone.

CBC News contacted ten patients whose records were included in the provided sample and confirmed they had been patients of CarePartners. Each said they had not been directly notified by CarePartners and were unaware there had been a breach.

Former patient Arthur Redublo told CBC News it was "very troubling to know it was that easy to gain that information."

He said whatever steps had been taken to secure his information "obviously wasn't enough."

Arthur Redublo was treated by CarePartners for an injury five years ago. His medical records were among those viewed by CBC News. (CBC News)

CarePartners said it had "proactively notified those patients whose records were inappropriately accessed" in conjunction with Ontario's local health integration networks (LHINs) — Crown agencies established by the provincial government that contract with companies like CarePartners to provide home-care services such as nursing.

"The maximum extent of any breach with respect to patient information is the approximately 237,000 patients for which CarePartners has provided care and collected information," the company said.

In a statement, the Office of the Information and Privacy Commissioner of Ontario said it is investigating.

"We will be assessing whether the breach could have been prevented, whether adequate steps are being taken to respond to it, and to ensure that systems are in place to help prevent future breaches."

No encryption, attackers claim

CarePartners said it is working with the Herjavec Group, a cybersecurity firm, to assess the extent of the breach and close any remaining holes. The company said it believes the attackers no longer have access to its network.

CarePartners declined to provide more detailed information about the attack, citing an ongoing criminal investigation by Waterloo Police.

The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners' network that had not been updated in two years "by chance," and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes "completely unnoticed."

"This data breach affects hundreds of thousands of Canadians and was completely avoidable," the group told CBC News. "None of the data we have was encrypted."

While Ontario's privacy commissioner requires that personal health information be encrypted when stored on mobile devices, there is presently no similar requirement for desktop computers or servers.

Health-care providers are required to "take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information" and ensure that health records are retained securely under Ontario law — but there is nothing that says data stored on computers or servers must be encrypted. (Benoit Tessier/Reuters)

"Encryption is one piece of the puzzle," said lawyer Mary Jane Dykeman, a partner with the Toronto-based boutique firm DDO Health Law. "But it's also possible that you hold information in a repository or in a system where, in and of itself it's not encrypted, but you have a secure perimeter, if you will. You have a fence around it that people can't just walk through."

The attackers compared their work to corporate bug bounty programs, where some companies will pay security researchers in exchange for finding vulnerabilities in their systems. But this comparison is not especially accurate, as participants in these programs typically do so with the company's permission, and with strict rules around handling any sensitive data they encounter on the way.

CarePartners said it "takes the safeguarding of personal health and financial information seriously" — regularly updating its systems, and relying on a "leading third party" to manage its computers and networks.

If you have a information on this or other stories, Lori Ward can be reached at lori.ward@cbc.ca. Matthew Braga can be reached at matthew.braga@cbc.ca, or using encrypted messaging apps Signal or WhatsApp at +1 416 316 4872. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.