Ontario is facing growing criticism over a significant data breach that may have compromised the personal health information of up to 200,000 home care patients, nearly one-third of the province’s total home care population. The incident, involving Ontario Health atHome—a government agency responsible for coordinating home and community care for seniors and medically complex individuals—has been condemned by both opposition leaders and privacy advocates for delayed action and poor transparency.
Dr. Adil Shamji, Liberal health critic and MPP for Don Valley East, has described the situation as a “dereliction of duty” by the Ford government and called the delay in notifying affected patients “appalling.” According to Dr. Shamji, the breach occurred on March 17 but was not disclosed to the public until nearly three and a half months later, only after he raised concerns publicly on June 27. “This is a scandalous lack of action,” he told reporters, noting that he confirmed the details after contacting the Office of the Information and Privacy Commissioner (IPC).
The IPC has since acknowledged that it was formally notified of the breach by Ontario Health atHome on May 30. While a full investigation is underway, the IPC reiterated that under Ontario’s Personal Health Information Protection Act (PHIPA), health custodians are required to take reasonable steps to protect health data and notify both the IPC and affected individuals at the “first reasonable opportunity” following a breach.
The breach is believed to be linked to a cybersecurity incident involving a vendor, Ontario Medical Supply (OMS). According to Ontario Health atHome, OMS initially reported a system outage that was later confirmed to be a cyberattack that may have exposed sensitive data, including names, contact information, and details of medical equipment ordered.
Despite these acknowledgements, Ontario Health atHome has not provided clarity on the exact timeline of the breach, the volume of records affected, or the reason for the delay in notifying patients. This has prompted further concern and calls for accountability.
Ema Popovic, spokesperson for Ontario’s Minister of Health, acknowledged procedural failures and confirmed that Health Minister Sylvia Jones has directed Ontario Health atHome to take immediate corrective measures. These include working closely with OMS to notify impacted individuals and reviewing all vendor processes to ensure such a breach does not recur. “The fact that this process was not followed is unacceptable,” Popovic stated, adding that all vendors must uphold the highest standards of data protection and patient trust.
This is the second major controversy surrounding Ontario Health atHome within the past year. In late 2024, the agency faced backlash due to supply shortages and service delays impacting palliative care patients after new vendor contracts were introduced. The latest breach now adds to a pattern of systemic issues within the home care system, as pointed out by opposition leaders and health sector professionals.
As the IPC continues its investigation, affected patients await full transparency and reassurance that their personal health information will be better protected going forward. The Government of Ontario has pledged to tighten oversight and demand greater accountability from all health service providers involved.