Island Health (formerly Vancouver Island Health Authority) experienced a significant cybersecurity incident in November 2024 that disrupted healthcare services across Vancouver Island. The attack affected electronic health records systems, appointment scheduling, and patient communication systems, forcing the health authority to implement emergency protocols and manual processes whilst recovery efforts proceeded. The incident demonstrated the critical vulnerability of healthcare providers to cyber attacks and the direct patient care impacts that can result.
What Happened
Island Health discovered evidence of a ransomware attack on November 12, 2024, affecting multiple clinical and administrative systems. Investigation revealed that threat actors had gained initial access through a compromised contractor account approximately two weeks earlier. The attackers had systematically moved across Island Health's network, eventually deploying ransomware that encrypted critical healthcare systems including electronic health records (EHR), appointment scheduling, and clinical documentation systems.
The ransomware variant used was Alphv, a particularly aggressive strain known for targeting healthcare organisations. Threat actors exfiltrated patient medical records before encrypting systems, creating a dual-extortion scenario where they demanded payment both for decryption keys and for not publishing patient data. The attack was particularly disruptive because it targeted systems essential for patient care delivery.
Scope and Impact on Patient Care
Island Health serves approximately 850,000 residents across Vancouver Island and the Gulf Islands. The attack affected systems used by multiple hospitals, clinics, and healthcare facilities across the region, including:
- Electronic health records systems used by clinicians for patient information access
- Appointment scheduling and patient booking systems
- Laboratory result reporting and test ordering systems
- Pharmacy systems for medication management
- Patient communication systems and telehealth platforms
- Administrative and billing systems
The disruption to EHR systems forced healthcare staff to resort to paper-based records for some functions, significantly slowing clinical workflows. Appointment scheduling delays meant patients faced difficulty booking procedures and consultations. Laboratory results were manually communicated rather than electronically transmitted, creating potential for errors and delays in critical diagnoses.
Patient Data Exposure
The exfiltration of patient medical records exposed highly sensitive healthcare information for approximately 180,000 patients, including:
- Patient names, addresses, and contact information
- Healthcare provider numbers and patient identification codes
- Medical diagnoses and treatment history
- Prescription medication information
- Mental health and counselling records for some patients
- Sexual health and reproductive health information
The exposure of sensitive healthcare information was particularly concerning given the stigma associated with certain medical conditions and the potential for harm if such information was used for blackmail or discrimination.
Island Health's Response
Island Health implemented comprehensive response measures whilst prioritising patient safety:
- Declared a critical infrastructure incident and activated emergency response protocols
- Notified British Columbia's Ministry of Health and emergency management authorities
- Implemented manual clinical processes and paper-based documentation systems
- Prioritised emergency care services whilst managing non-urgent procedures
- Engaged external cybersecurity firms for forensic investigation
- Notified all affected patients about the breach and data exposure
- Coordinated with law enforcement and Canadian authorities
- Restored systems progressively from offline backups over approximately two weeks
Lessons Learned
The Island Health cyber incident illustrates critical lessons for healthcare organisations. First, healthcare providers face particular vulnerability to ransomware because of the high cost of system downtime in patient care contexts. Threat actors recognise that healthcare organisations are more likely to pay ransoms quickly to restore critical care systems.
Second, the incident demonstrates the necessity for healthcare organisations to maintain comprehensive offline backup systems separate from primary networks. Island Health's ability to gradually restore systems was directly attributable to having maintained offline backups that threat actors could not encrypt.
Third, the incident highlights the importance of contractor access management. The initial compromise occurred through a contractor account with excessive privileges, underscoring the necessity for healthcare organisations to implement strict controls on external access.
How CyberSafe Can Help
CyberSafe's Healthcare Cyber Defense Services help healthcare organisations implement specific security controls tailored to the healthcare environment. Our Business Continuity and Disaster Recovery Consulting helps healthcare providers ensure backup systems are maintained offline and regularly tested. Through Managed Security Services, we provide 24/7 monitoring of healthcare systems to detect suspicious activity and prevent ransomware deployment.