A ransomware attack on TransForm, an IT service provider for five hospitals in southwestern Ontario, Canada, led to severe operational disruptions. Hackers from the Daixin Team breached systems on October 23, gaining access to a database containing 5.6 million patient visits and social insurance numbers of 1,400+ employees. The attack caused IT outages, forcing hospitals including Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health, and Chatham-Kent Health Alliance to shut down email, Wi-Fi, and patient information systems, reverting to pen-and-paper records.Critical medical services were halted: cancer radiation treatments were canceled or transferred, surgeries postponed, and patients endured delays. The attackers destroyed backups, demanded a $4M ransom, and leaked hundreds of gigabytes of data including COVID-19 vaccination records, diagnoses, and medications threatening further leaks or sales to fraudsters. Hospitals refused to pay, citing patient suffering. The breach exploited weak passwords and lack of network segmentation, enabling lateral movement across systems. The attack directly threatened patient lives by disrupting time-sensitive treatments like cancer care and surgeries, while exposing highly sensitive health and employee data.
TPRM report: https://www.rankiteo.com/company/transform-shared-service-organization
"id": "tra1062610091025",
"linkid": "transform-shared-service-organization",
"type": "Ransomware",
"date": "11/2024",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'customers_affected': '5 hospitals and their '
'patients/employees',
'industry': 'healthcare',
'location': 'Southwestern Ontario, Canada',
'name': 'TransForm Shared Service Organization',
'type': 'IT service provider'},
{'customers_affected': 'patients (including cancer '
'patients), staff',
'industry': 'healthcare',
'location': 'Windsor, Ontario, Canada',
'name': 'Windsor Regional Hospital',
'type': 'hospital'},
{'customers_affected': 'patients, staff',
'industry': 'healthcare',
'location': 'Southwestern Ontario, Canada',
'name': 'Erie Shores HealthCare',
'type': 'hospital'},
{'customers_affected': 'patients, staff',
'industry': 'healthcare',
'location': 'Windsor, Ontario, Canada',
'name': 'Hôtel-Dieu Grace Healthcare',
'type': 'hospital'},
{'customers_affected': 'patients, staff',
'industry': 'healthcare',
'location': 'Southwestern Ontario, Canada',
'name': 'Bluewater Health',
'type': 'hospital'},
{'customers_affected': 'patients, staff',
'industry': 'healthcare',
'location': 'Chatham-Kent, Ontario, Canada',
'name': 'Chatham-Kent Health Alliance',
'type': 'hospital'}],
'attack_vector': ['weak/ reused passwords', 'lack of network segmentation'],
'data_breach': {'data_encryption': 'yes (ransomware encryption; backups '
'destroyed)',
'data_exfiltration': 'yes (hundreds of gigabytes leaked; '
'threat of further leaks/sales on dark '
'web)',
'file_types_exposed': ['patient records',
'vaccination documents',
'diagnosis/medication files'],
'number_of_records_exposed': '5.6 million (patient visits) + '
'1,400+ (employee SINs)',
'personally_identifiable_information': 'yes (names, social '
'insurance numbers, '
'medical data)',
'sensitivity_of_data': 'high (medical and personally '
'identifiable information)',
'type_of_data_compromised': ['patient visit records',
'employee social insurance '
'numbers',
'COVID-19 vaccination records',
'patient diagnoses',
'medication documents']},
'date_detected': '2023-10-23',
'description': 'A ransomware attack by the Daixin Team targeted IT service '
'provider TransForm, disrupting operations at five hospitals '
'in southwestern Ontario. The attack compromised a database '
'containing 5.6 million patient visits and the social '
'insurance numbers of over 1,400 employees. Hospitals '
'experienced IT outages, appointment delays, cancelled '
'surgeries, and resorted to manual record-keeping. The '
'attackers demanded a $4 million ransom, which was refused. '
'Patient data, including COVID-19 vaccination records and '
'medical diagnoses, was leaked online.',
'impact': {'brand_reputation_impact': 'severe (public refusal to pay ransom, '
'patient suffering highlighted)',
'data_compromised': ['5.6 million patient visit records',
'social insurance numbers of 1,400+ employees',
'COVID-19 vaccination records (names, dates)',
'patient diagnoses and medication documents'],
'identity_theft_risk': 'high (social insurance numbers and medical '
'data exposed)',
'operational_impact': ['appointment delays',
'cancelled surgeries (including cancer '
'radiation treatments)',
'patient transfers to other hospitals',
'manual record-keeping (pen and paper)'],
'systems_affected': ['email systems',
'Wi-Fi',
'patient information systems',
'backups (destroyed)']},
'initial_access_broker': {'data_sold_on_dark_web': 'threatened (data offered '
'to scammers/fraudsters)',
'high_value_targets': ['patient databases',
'employee records']},
'investigation_status': 'ongoing (restoration in progress; no ransom paid)',
'lessons_learned': ['Reusing passwords across systems enables lateral '
'movement by attackers.',
'Lack of network segmentation allows attackers to '
'infiltrate multiple systems.',
'Critical healthcare operations (e.g., cancer treatments) '
'are severely impacted by IT outages.',
'Public refusal to pay ransom can be a strategic '
'communication tool but may escalate data leaks.'],
'motivation': 'financial gain (ransomware extortion)',
'post_incident_analysis': {'root_causes': ['password reuse across systems',
'lack of network segmentation',
'inadequate backup protection']},
'ransomware': {'data_encryption': 'yes (including destruction of backups)',
'data_exfiltration': 'yes (double extortion: encryption + data '
'theft)',
'ransom_demanded': '$4,000,000 USD',
'ransom_paid': 'no'},
'recommendations': ['Implement multi-factor authentication (MFA) and enforce '
'strong, unique passwords.',
'Segment networks to limit lateral movement during '
'breaches.',
'Regularly test and secure backup systems to prevent '
'destruction during attacks.',
'Develop and drill incident response plans specific to '
'ransomware and data breaches.',
'Enhance monitoring for early detection of reconnaissance '
'and infiltration attempts.'],
'references': [{'source': 'Databreaches.net'},
{'source': 'Local media reports (unspecified)'}],
'response': {'communication_strategy': ['public refusal to pay ransom',
'appeal to attackers to delete data',
'highlighting patient suffering'],
'incident_response_plan_activated': 'yes (negotiator engaged)',
'remediation_measures': ['restoration of operations in progress'],
'third_party_assistance': 'yes (ransomware negotiator)'},
'stakeholder_advisories': ['Public statement refusing ransom payment',
'Appeal to attackers to cease further harm'],
'threat_actor': 'Daixin Team',
'title': 'Ransomware Attack on TransForm IT Service Provider Affecting Five '
'Hospitals in Southwestern Ontario, Canada',
'type': ['ransomware', 'data breach'],
'vulnerability_exploited': ['poor password hygiene',
'inadequate network segmentation']}