Disclosure in connection with a recent data security incident
Ottawa, May 12, 2023 - Hôpital Montfort made a disclosure in connection with a recent data security incident.
Since February 2020, Montfort has had a contract with Aetonix, a Canadian software company, for the use of its aTouchAway® virtual communication platform. An Aetonix data security incident may have resulted in unauthorized access to some personal information provided by patients to Montfort after they were discharged from the hospital.
There is no evidence that the information was used inappropriately. However, we are informing the concerned individuals and provide them with information about resources available to help them protect their information.
Information entered by patients into the Aetonix platform may include: first and last name, date of birth, gender, language, address, email, phone number, and clinical information exchanged with paramedics and/or community health services.
It is important to note that there is no link between our electronic health record and Aetonix, nor is there any financial information (credit cards, transactions, etc.) of our patients.
On May 12, those affected were notified by the TransUnion company on behalf of Montfort. Indeed, as a precautionary measure, we are offering the services of TransUnion credit monitoring company to the affected individuals, free of charge for one year, to alert them in case of identity theft.
"Montfort takes the privacy and security of personal information very seriously, and we worked closely with the vendor throughout the investigation process to ensure that an incident like this does not happen again," said Philippe Marleau, Vice President, Chief Information and Privacy Officer at Montfort. "We sincerely regret that this incident occurred, as this does not reflect the exceptional experience we aim to provide at Montfort."
Montfort reported the incident to the Office of the Information and Privacy Commissioner of Ontario, in accordance with best practices and the Personal Health Information and Protection of Privacy Act.
In the interest of caution, Montfort reminds everyone to be diligent and remain vigilant about fraud and identity theft.
Questions & Answers
- What is the connection between the company Aetonix and Montfort?
-
Since February 2020, Montfort has had a contract with Aetonix, a Canadian software company, to pilot and test its aTouchAway communication platform. This platform provides virtual communication, care pathway and remote patient monitoring services used by Montfort to support its patients.
- What happened?
-
Aetonix discovered that an unauthorized person gained access to an internal test environment where Montfort patient personal health information had been temporarily stored. This included more than 1,200 Montfort patients who received remote home monitoring for certain services.
Following a thorough review of the incident, Aetonix's investigation concluded that the incident may have resulted in personal health information being accessed, or copied, by an unauthorized person between February 23 and March 9, 2023.
More information on the incident is available on the Aetonix website.
- When were you notified of the incident?
-
On March 17, 2023, Aetonix informed Montfort that on March 13, the company had discovered that an unauthorized person gained access to an internal test environment where personal health information of its customers was temporarily housed.
- What kind of information was on the Aetonix platform?
-
Information entered by patients into the Aetonix platform may include: first and last name, date of birth, gender, language, address, email, phone number, and clinical information exchanged with paramedics and/or community health services.
It is important to note that the data on the aTouchAway platform does not contain any personal health information from the electronic health record, Connected Care Patient Portal, nor any financial information (credit cards, transactions, etc.) of our patients.
- How many people are involved?
-
The records of approximately 1,200 people who have been Montfort patients and have received remote home monitoring after discharge are affected.
- Why is Montfort using this application?
-
The Aetonix/aTouchAway platform is used to communicate with a person who is being monitored after discharge from the Montfort. The individual must first consent to receive services on various programs. Montfort sends a link to the Aetonix platform via the email address given by the person. Afterwards, the person enters his or her data in the platform in order to benefit from home health follow-up.
- What is Hôpital Montfort's policy regarding the protection and confidentiality of patient information?
-
Hôpital Montfort has several policies regarding the security and protection of personal health information. We have two main policies: one on confidentiality, in the broadest sense of the term (personal information, personal health information, administrative information) and one that deals solely with the protection of personal health information.
- What steps did you take to correct the situation?
-
We took immediate action:
- As a precautionary measure, we immediately paused the use of the Aetonix platform.
- We worked closely with the provider throughout the investigation process to ensure that an incident like this would not happen again.
- We requested a report on the details of the incident and the extent of the data affected.
- We requested and received assurance that Aetonix had secured its environment by deploying specialized tools to ensure that no further unauthorized access could occur.
- Aetonix has confirmed that it has reported the incident to the Canadian police and privacy commissioners.
- We have reported the incident to the Information and Privacy Commissioner of Ontario.
- All individuals involved in the incident were notified on May 12, 2023 by TransUnion
- As a precautionary measure, we have offered all affected individuals free credit monitoring and identity theft protection services with TransUnion for one year.
- Were any disciplinary actions taken?
-
Human error on the part of an Aetonix employee was the cause of this incident. We have demanded guarantees from Aetonix, such as a post-incident certificate of compliance.
- Have you contacted the individuals whose information may have been compromised?
-
Yes, individuals affected by this incident received an email communication from TransUnion (and in a few cases a letter or phone call from Montfort) explaining the incident. They were invited, if they wished, to contact privacy staff and we offered them free credit monitoring and identity theft protection services with TransUnion for one year.
- Why was there a delay in notifying patients?
-
As soon as the incident was reported, Montfort took steps to contain the incident and conduct a summary review of the impacted information to understand the situation and the risks involved. Given the complexity of the incident and the involvement of a third party, we needed to take the time to fully understand the facts and find appropriate solutions.
- Did you notify the Privacy Commissioner of Ontario?
-
Yes. We notified the commissioner's office on March 30, 2023, in order to benefit from her advice and reassure our patients transparency in this matter.
- Is this incident related to the recent disclosure by Queensway Carleton Hospital?
-
Indeed, this incident is related to the same disclosure regarding Aetonix (see https://aetonix.com/incident/media-statement/). In the case of Montfort, the Aetonix platform was used exclusively for patients taking advantage of the home monitoring program after being discharged from Montfort. Only information entered by the patients themselves was on the platform.
- Is the confidentiality of my medical record secure?
-
The security and confidentiality of our patients records is paramount to us and we take this incident very seriously.
As soon as we were informed, we immediately paused our use of the Aetonix platform.
It is important to note that the impacted data does not contain any personal health information from the electronic health record, Connected Care Patient Portal, or any financial information (credit cards, transactions, etc.) of our patients.
- I received care at Montfort recently. How do I know if this incident directly affects me?
-
The majority of those impacted were notified by email. If, since February 2020, you have received telemonitoring care services after receiving care or services at Montfort and have not received an email from TransUnion, please check your junk mail folder or contact us at aipvp@montfort.on.ca or 613-746-4621 ext. 2905. We will respond to your call or email within three business days, between 8:00 a.m. and 4:00 p.m., Monday to Friday.