The Waterloo Regional Health Network (WRHN) says a “security incident” may have exposed the personal health information of thousands of patients.

In a letter dated March 27 that was sent to affected patients, WRHN apologized and said the data breach impacted the network’s connection to a third-party system it uses to send primary health care providers information about a patient’s care. That system is hosted by Ontario Health.

“This incident occurred outside WRHN’s network and was contained on January 13, 2026,” the letter said. “WRHN’s internal systems remain secure and were not affected.”

In a statement to CBC News, WRHN said the data breach was contained within hours of it being identified and it did not affect clinical records or patient care.

WRHN’s letter to patients said it can’t rule out the possibility that personal health information was compromised.

The network said information that could have been exposed may include clinical information relating to the care 150,000 people received between April 2025 and January 2026.

In its statement, WRHN said the investigation shows a “low likelihood that personal health information was accessed or misused.”

“Out of an abundance of caution, WRHN has begun notifying potentially affected patients; however, patients do not need to take any action at this time,” WRHN said.

WRHN also said patients can contact the network if they notice anything suspicious that may be related to the incident, adding it has also reported the incident to the Ontario Privacy Commissioner.

CBC News reached out to Ontario Health for comment, but did not receive a reply by deadline.