With great thanks to @masek and @JayeLTee and others who assisted or tried to, including Rogers ISP and law enforcement in Canada, we can finally say:
Bolton Walk-In Clinic patient data leak locked down!
Read about this very frustrating effort to get exposed patient data locked down:
https://databreaches.net/2025/06/30/bolton-walk-in-clinic-patient-data-leak-locked-down-finally/
#healthsec #PHIPA #HIPA #cybersecurity #infosec #incidentresponse #dataleak
@masek @JayeLTee For the life of me, I cannot understand why this got kicked over to the anti-rackets branch, but thank you for what you managed to accomplish.
I will post an update to this leak on my blog sometime this week, but in the interim:
Any patients of the Bolton Walk-In Clinic should consider filing a complaint with the provincial Privacy Commission and requesting an investigation into the clinic's failure to comply with medical privacy laws such as PHIPA. IMO, the IPC should also be asked to require the clinic to notify every patient whose unencrypted information was exposed.
Additional details about earlier efforts by @JayeLTee and I to get this leak secured can be found in my post at https://databreaches.net/2024/12/03/bolton-walk-in-clinic-in-ontario-lock-down-your-backup-already/
The Information and Privacy Commissioner of Ontario has completed a review into Daixin Team's massive cyberattack on five regional hospitals in 2023 and found hospital officials acted “adequately.”
Perhaps the most notable aspect of the report (from my perspective) was that the IPC said the hospitals were obligated to notify patients whose data had been encrypted (and not just those whose data had been exfiltrated). They saw no point in requiring that now, but wanted it noted that it should have happened.
So that seems to be making PHIPA's interpretation clearer for future victims of encryption incidents.
The full report makes an interesting read.
PHIPA Decision 284:
https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/521986/index.do
#PHIPA #notification #incidentmanagement #databreach #ransomware
Unbelievable. Or maybe too believable...
I previously posted about Bolton Walk-in Clinic in Ontario not locking down their patient data despite multiple responsible disclosure alerts (https://infosec.exchange/@PogoWasRight/113589181607493357). Then I reported that Canada's cybersecurity agency contacted me and offered to help (https://infosec.exchange/@PogoWasRight/113589757905504474).
Well, they tried... but got no results either. Bolton Walk-In Clinic is still exposing patient data and didn't even do anything when contacted by Canadian federal police.
If any Canadian news outlet would like to report on this, get in touch. @JayeLTee and I will share the information with you (yes, I just volunteered him too). 😂
Or if anyone is in the vicinity of their clinic, maybe stand outside with a sign that says, "Bolton Walk-In Clinic is leaking patient data and ignoring alerts!" That might get some attention...
Bonus points if you get someone in a Santa outfit to stand outside their clinic with a sign that says "Bolton Walk-In Clinic is naughty -- they are leaking patient data."
#dataleak #negligence #healthsec #PHIPA #HIPA #cybersecurity #databreach #accountability
Bolton Walk-In Clinic in Ontario: lock down your backup already! DataBreaches hates reporting on an incident when the entity has not yet secured misconfigured storage, but after four months of futile efforts to get a Canadian clinic to respond to responsible disclosures, maybe publication will help get them off the dime. Do any personal injury lawyers in Ontario, Canada, or folks in the Information and Privacy Commissioner of Ontario follow me? Maybe they can get something done. Read more at: https://databreaches.net/2024/12/03/bolton-walk-in-clinic-in-ontario-lock-down-your-backup-already/ #misconfiguration #error #healthsec #dataleak #databreach #exposure #incidentresponse #DontCallMeHoney @brett
A patient at Woodstock Hospital in Ontario wants to know why the hospital never referred an insider-wrongdoing breach to the police. It's a fair question considering that the improper access affected 56 patients and took place between January and May.
Updating: It looks like Akira removed their listing for Michael Garron Hospital in Toronto, but why they removed it and whether it will remain removed remains unknown:
#databreach #healthsec #PHIPA #infosec #cybersecurity #incidentresponse
Daixin contacted me last night that they wouldn't be dumping databases from Transform as quickly as they are busy working on something else. But then this morning I woke up to find a message that for now, they released 300 records from a database for now that they describe as "interesting."
The data are sensitive and confidential info of named patients with their demographic info as well as health-related and account-related info. Many of these entries go back to service dates years ago, but they also included some current records. The records include dozens of fields including what service treated the patient (e.g., surgery, psychiatry) and when patients did not want any info given out about them to family or anyone. That ship has now sailed for them.
#databreach #PHIPA #HealthSec #TransForm #Sarnia #cybersecurity
Update: Sensitive patient data leaked from #TransForm ransomware incident that affects #BluewaterHealth and other Ontario healthcare entities:
#HealthSec #Ransomware #infosec #vendor #PHIPA #databreach #cybersecurity
Dissent Doe 
