A previous version of this story' included a headline which indicated that the province was "targeted for extortion" in a cyberbreach last year. However, it is a third-party vendor, contracted by Ontario Health atHome, that was impacted by the ransomware attack. — Ontario Health Minister Sylvia Jones says no ransom was paid following a cyberbreach that the opposition claims leaked personal health data for at least 200,000 homecare patients.
The breach occurred last March but was not publicly disclosed until a few months later, on June 27.
At the time, a spokesperson for the Ministry of Health said it was “unacceptable” that the process should be followed in cyberbreach incidents, including identifying when it happened and notifying the government, “was not followed.”
The spokesperson added that Jones directed Ontario Health atHome to work with the vendor to immediately notify impacted patients.
Adil Shamji, Liberal MPP for Don Valley East, issued a news release on Monday, demanding accountability from the province after it was reported last year’s cyber attack was seeking ransom.
Reporting from Global News revealed one of Ontario Health atHome’s vendors, Ontario Medical Supply, was the target of a ransomware attack in March 2025, which locked the company out of a large swath of its servers. The ministry tells CTV News Toronto that this was a third-party vendor.
“No Ontario Health atHome networks or infrastructure were impacted by this incident,” a spokesperson for the Minister of Health said in a statement.
Patients weren’t immediately notified of the breach, something Shamji had pointed out back in June, when he demanded the province’s information and privacy commissioner investigate what happened after “three-and-a-half months of inaction.” His letter in June also noted this breach may have impacted the records of nearly a third of Ontario’s homecare patients.
“Until now, the specific details of the cybersecurity incident were unknown, but new findings reveal that personal health information was encrypted by malicious parties who refused to restore access unless a ransom was paid,” Shamji said.
“The sinister motive of the perpetrators now indicates a heightened risk to homecare patients and reveals a previously concealed element of criminality which the Premier and Minister of Health have failed in their duty to disclose.”
Shamji underlined how the province was “targeted for extortion by criminals in an operation that can only be described as a shakedown,” and demanded the province provide answers to patients and taxpayers.
“This is alarming—both from the perspective of accountability for taxpayer dollars, but also because payment of ransom under the Criminal Code of Canada can be illegal under specific circumstances,” Shamji said.
Speaking at an unrelated news conference on Monday, Jones responded to the ransomware attack and said the information and privacy commissioner was part of the process to ensure records were protected.
“There was no taxpayer money used to assist and resolve the cyber breach, but it speaks to the importance of making sure that we work together and across organizations to make sure that individuals’ privacy can and will continue to be protected,” Jones told reporters.
“The Information and Privacy Commissioner was immediately notified, the individuals who may have been impacted were notified, and no tax dollars were used in any way to support the cyber breach request.”
