Home News Ontario Health atHome Breach

Ontario Health atHome Ransomware Breach Compromises 200,000 Patient Records

A supply chain ransomware attack on a medical supply vendor exposed sensitive home care patient data across Ontario.

June 18, 2025 By CyberSafe Threat Intelligence Team Canada Healthcare

Ontario Health atHome has disclosed that approximately 200,000 home care patients had their personal and medical information compromised following a ransomware attack on Ontario Medical Supply (OMS), a third-party vendor responsible for delivering medical supplies and equipment to patients across the province. The breach, which occurred between March and April 2025, was not publicly disclosed until June 2025, sparking intense criticism over the delayed notification.

What Happened

Threat actors infiltrated the systems of Ontario Medical Supply during March 2025, establishing persistence within the network over several weeks. On April 13, 2025, the attackers triggered the ransomware payload, encrypting OMS systems and exfiltrating patient data. OMS reportedly paid the ransom to regain access to its systems and obtain assurances that the stolen data would be deleted, though security experts caution that such promises from ransomware groups are unreliable.

Ontario Health atHome, which contracts with OMS to deliver medical supplies and equipment to patients receiving home care services, was notified of the breach shortly after the ransomware deployment. However, the organization did not begin alerting affected patients until June 2025, more than two months after the attack.

The Supply Chain Attack Vector

This incident highlights the critical risk posed by third-party vendors in the healthcare supply chain. OMS held sensitive patient data as part of its contractual obligation to fulfil medical supply orders for Ontario Health atHome. The data shared with OMS was necessary for supply delivery but created an extended attack surface beyond the direct control of Ontario Health atHome.

Healthcare organizations increasingly rely on networks of vendors, subcontractors, and technology providers, each representing a potential entry point for attackers. CyberSafe recommends that organizations implement rigorous third-party risk management programs, including regular security assessments of all vendors with access to sensitive data.

Patient Data at Risk

The compromised records of approximately 200,000 home care patients include:

  • Full names and residential addresses
  • Contact information including phone numbers and email addresses
  • Medical supply and equipment order details
  • Health card numbers in some cases
  • Information about medical conditions related to equipment needs

Delayed Disclosure Controversy

The two-month gap between the attack and patient notification drew sharp criticism from privacy advocates, affected patients, and members of the Ontario legislature. Patients argued that the delay left them unaware and unable to take protective measures during a period when their data may have been actively exploited.

By March 2026, Ontario's opposition parties formally demanded that the provincial government explain why patients were not notified sooner and what steps were being taken to prevent similar delays in the future. The Ontario Information and Privacy Commissioner launched an investigation into the notification timeline and the adequacy of both OMS's and Ontario Health atHome's privacy practices.

What Affected Patients Should Do

  • Monitor financial accounts and credit reports for signs of identity theft
  • Be alert for phishing emails or calls referencing home care services or medical supplies
  • Contact Ontario Health atHome's dedicated breach hotline for information about your specific data exposure
  • Report any suspicious activity to the Canadian Anti-Fraud Centre at 1-888-495-8501
  • Consider placing a fraud alert with Equifax Canada and TransUnion Canada

Healthcare Cybersecurity Imperatives

The Ontario Health atHome breach reinforces several critical lessons for healthcare organizations and their vendors:

  • Conduct thorough security assessments of all third-party vendors with access to patient data
  • Require contractual security obligations including incident notification timelines from all vendors
  • Implement data minimization practices, sharing only the minimum patient data necessary for service delivery
  • Establish and regularly test incident response plans that account for supply chain compromises
  • Deploy network monitoring and endpoint detection solutions that can identify lateral movement and data exfiltration
  • Ensure compliance with PHIPA and federal privacy legislation regarding breach notification timelines with help from cybersecurity consulting services

How CyberSafe Can Help

Our Managed Security Services provide 24/7 monitoring to detect ransomware and data exfiltration attempts. Combined with Cyber Defense Services, we help healthcare organizations identify and respond to threats before patient data is compromised.

Sources