A cybersecurity breach affecting over 200,000 patients should sound alarm bells at the highest levels of government. Yet here we are—more than three months after a suspected cyberattack—and Ontario Health atHome is only now notifying patients whose sensitive health information may have been compromised. This delay is not just troubling. It’s unacceptable.
The breach reportedly occurred around March 17. Ontario Health atHome says it was notified by its vendor, Ontario Medical Supply (OMS), that a system outage was in fact a cybersecurity attack. The stolen data may include patients’ names, contact details, and medical supply records. It’s not the worst kind of health information to be leaked, but it’s still deeply personal. For those affected, it’s enough to cause anxiety—and deserves immediate transparency.
Instead, the public only learned about the breach on June 27, when Liberal MPP Dr. Adil Shamji called out the government’s silence and demanded answers from Health Minister Sylvia Jones and Premier Doug Ford. Shamji, a physician and former emergency room doctor, rightly asked the most basic question: “If your personal health information had been stolen, how long would you want to wait before being told?”
It’s a question neither the Health Minister nor the Premier seem eager to answer.
At a press conference held the day Shamji blew the whistle, Minister Jones vaguely confirmed an investigation was ongoing and said patients would be notified “if” there was any breach—this despite the fact that Ontario Health atHome had already acknowledged a breach in its public notice that same day.
Premier Ford was no more forthcoming. He sidestepped the issue of delay, offering platitudes about sacred health records and promising that anyone responsible should be fired and charged. That’s fine rhetoric, but it does nothing to address why it took three and a half months for anyone to say a word.
This wasn’t just a minor slip-up. This was a serious breach of trust in a public health system that people rely on not just for care—but for confidentiality.
The province’s Information and Privacy Commissioner (IPC) is now investigating, but even that only came after Shamji formally requested it, following a lack of communication from the IPC after his initial inquiries. In a letter to Shamji, Commissioner Patricia Kosseim confirmed that her office had received a report that matched the timeline and nature of the breach and that the matter was under review. But for many Ontarians, it’s too little, too late.
The people of Ontario deserve more than bureaucratic fog and political finger-pointing. They deserve answers, accountability, and a system that protects their data with the urgency it deserves.
This incident raises serious questions about how health agencies handle breaches and, more importantly, how quickly they inform those impacted. Waiting months to notify patients is a failure of both duty and ethics. It suggests a government more concerned with managing optics than protecting citizens.
The province needs to enact stricter guidelines around breach disclosure, especially when it involves public health information. Time matters when people’s private data is floating in the hands of bad actors.
Because the question isn’t just why it happened.
It’s why no one told us.
