CyberSecurity

We took prompt steps to contain the incident. Our IT team, working with the service provider, took immediate steps to secure our systems. The vulnerability related to the service provider has been addressed.

We have stopped using the third party software involved.

We have notified individuals who may have been impacted by this incident and are in contact with the relevant authorities and regulators as part of the process.

Based on our investigation, the cybersecurity incident occurred on or around January 20, 2021.

Q: When did you first know about it?

We became aware of the incident on March 25, 2021.

Q: How do I know if I’m affected by this?

We have notified individuals who may have been impacted by this incident. If you fall into this category, you will receive a letter from us. 

Q: How do I know what types of my data may have been impacted?

If you receive a letter, it will indicate what type of data may have been impacted.

Q: I’ve received a letter. Does this mean that someone has my information? What can I do to check? 

If you have received a letter from Durham Region about this issue, then it is possible your information may have been impacted by this incident. 

There is no evidence confirming that all the personal information listed in the letter was compromised or misused, although the unauthorized third party posted some of the documents containing personal information and personal health information on the dark web in April 2021.

If you are contacted and advised that your health card number may have been affected by the incident, you can call the ServiceOntario INFOline at 1-866-532-3161 or 1-800-387-5559 to report any lost or stolen health card number.

Individuals who suspect misuse of their health card number can report suspected cases of fraud by emailing the Ontario Ministry of Health at reportOHIPfraud@moh.gov.on.ca or by calling 1-888-781-5556.

For instances where financial information may have been impacted, we are offering credit monitoring to those individuals.

If you are contacted and advised that your financial information may have been affected by the incident, as a precautionary measure, we strongly suggest  that you contact your bank, credit card company, and relevant government offices to advise them that you may have been affected by this incident.

We recommend you monitor and verify all your bank accounts, credit card and other financial transaction statements for any suspicious activity. If you suspect misuse of your personal information, you can obtain a copy of your credit report from a credit reporting bureau to verify the legitimacy of the transactions listed.

• Equifax at 1-800-465-7166 or equifax.ca
• TransUnion at 1-800-663-9980 or transunion.ca

If you are concerned that you may be a victim of fraud, you may request these bureaus place a fraud alert on your credit files instructing creditors to contact you before opening any new accounts. You may also wish to review this publication from the Information and Privacy Commissioner of Ontario, Identity Theft: A Crime of Opportunity.

For tips and resources for protecting your identity please visit ontario.ca/page/how-avoid-or-recover-identity-theft.

We are committed to protecting the personal information in our care and we are taking this matter very seriously. We are sorry for the inconvenience this may cause.

We have been working with our experts to determine the full extent of the information that may be involved and provided an initial update on our investigation through a statement on our website on April 9, 2021.

At this stage, we know an unauthorized third party accessed some personal information and we are currently notifying individuals directly who may have been impacted by this incident. We sent our first letters to those potentially impacted the week commencing April 19, 2021, and updated our FAQ and statement on our website the same day.

We are also in contact with the relevant authorities and regulators as part of the process.

Q. I believe or suspect that my information is being misused. What are you going to do about it?

We will keep this on file and are recording this information as part of our investigation. If you have any concerns, we urge you to visit https://www.ontario.ca/page/how-avoid-or-recover-identity-theft. 

It is important to note that there is no evidence to date showing that the data involved in the incident was misused.

For tips and resources for protecting your identity please visit ontario.ca/page/how-avoid-or-recover-identity-theft

Q: Have you contacted police?

Yes, we notified law enforcement.

Q: Why does Durham Region hold my data?

Our partners collect personal information on our behalf and the data is used to carry out the Region’s responsibilities. The Region has an obligation to collect this information. We rigorously follow data retention policies to minimize the vulnerability. 

This data collection is governed by legislation including the Immunization of School Pupils Act, Child Care and Early Years Act, 2014, and the Ambulance Act.

It is important to note that there is no evidence to date showing that the data involved in the incident was misused.

• Oral Health - we collect a small amount of oral health information related to clients receiving dental procedures.
• Child Care - we collect child care data as part of the Child Care and Early Years Act, 2014 to ensure children have appropriate immunizations. This is a standard process when a child is signed up to CCC. Parents fill out a form when they enroll in a child care centre and this is sent to the Region.
• Seniors’ Care - we have information related to staff of long-term care homes, retirement homes and other congregant living facilities related to immunization eligibility. Earlier in the COVID-19 vaccination efforts, we were relaying information about vaccine eligibility to appropriate health authorities.
• School Boards - we have student and parent/guardian information under the Immunization of School Pupils Act. This information is required to maintain up-to-date immunization records.

Q: Has the investigation been completed?

Durham Region has completed its investigation into this incident. We have identified and notified all individuals who may have been impacted. 

The Ontario Information and Privacy Commissioner (IPC) concluded its review of Durham Region’s privacy breach on Jan. 18, 2022. 

Q: What were the results of the investigation?

Durham Region has completed its investigation into the cybersecurity incident. All individuals who may have been impacted have been notified. The Region has taken the necessary actions to strengthen our cybersecurity safeguards.

With regards to our IT systems - the vulnerability related to the service provider has been addressed, and our systems have been secured. We also perform privacy risk assessments for any software we use.

We notified the proper authorities and regulators as part of the investigation. The Ontario Information and Privacy Commissioner (IPC) concluded its review of Durham Region’s privacy breach on Jan. 18, 2022.

We are committed to protecting the privacy of all residents and are taking this matter very seriously. 

Q: I have more questions. Can I speak to anybody about this?