Bluewater Health said data stolen during a recent ransomware attack pertains to approximately 5.6 million patient visits from roughly 267,000 unique patients.
However, the hospital organization said the stolen data did not include clinical records.
Bluewater Health said it is still in the process of determining the individuals affected by the data theft in order to notify them.
"While it does appear that information pertaining to employees was affected to some degree, BWH has reached the preliminary conclusion that no employee or professional staff social insurance numbers or banking information was taken," a statement issued Monday said. "They also were able to steal data from an operations file server that housed a segmented employee shared drive used by all our hospitals. The shared drive data included patient and employee information of varied amounts and sensitivity."
In response to the cyberattack, the hospital has offered two years of free credit monitoring for all employees as of October 30.
An update said the cyberattack did not involve the theft of databases linked to employee payroll, accounts payable (vendor payments or payments to professional staff), and donor information. Bluewater Health was the only institution that experienced the theft of electronic health records.
Bluewater Health, and hospitals in Chatham-Kent and Windsor, were impacted by the ransomware attack in late October of a shared service provider, TransForm Shared Service Organization.
The incident affected each institution differently.
Some pre-book appointments at area hospitals have been delayed or postponed as hospitals continue efforts to restore their systems. They expect to provide a timeline for the restoration of operations in the coming days.
A patient cybersecurity hotline has been established. For inquiries, people can call 519-437-6212 (8 a.m. to 11 p.m. Monday through Friday). Staff questions can be directed to their HR teams.
"We understand the concern this incident has raised within our communities, including patients and our employees and professional staff, and we deeply apologize," read a media release.
Findings have been reported to the Ontario Information and Privacy Commission.