A vendor contracted by the agency in charge of overseeing Ontario’s home care system suffered a ransomware attack, Global News can reveal – details the province didn’t share after the incident.

Ontario Health atHome, a body created by the Ford government to coordinate resources for home care and palliative patients, came under scrutiny last year after one of its vendors was hit with a cyberattack that was kept under wraps for months.

The vendor, Ontario Medical Supply (OMS), was first infiltrated in March 2025, before the company was locked out of “a significant portion” of its servers.

Ontario Health atHome didn’t immediately alert patients about the breach, but an Ontario Liberal MPP raised the alarm more than two months after the incident. Even then, details from the government about the attack were scarce.

“Following an investigation by OMS, they notified Ontario Health atHome that the outage was a cybersecurity attack and health information had been breached,” a statement last year read.

Now, internal reports and emails obtained by Global News confirm the breach was, in fact, ransomware that locked servers and led to weeks of internal confusion about what data had been compromised.

Chris Nyhuis, a cybersecurity expert and founder of Vigilant, said that while there are worse cyberattacks than ransomware, rapid disclosure is key to ensuring impacted patients can protect their personal information.

“Once that ransomware attack happens, the attackers are doing two things. They’re encrypting all the data, but they’re also stealing the data, and they steal it first,” he explained.

“Early detection of that and early prevention, once someone has it, is really important. If an attacker steals (identifying information), if you protect yourself within the first four weeks, you’re probably okay. After that, they’re going to use it; it’s going to be out there, and your data is gone.”

The government told Global News it had disclosed the fact that an attack had taken place.

One message obtained using freedom of information laws shows ransomware was “earliest observed” accessing an OMS system on March 17, 2025.

Less than a month later, on April 13, “the ransomware payload was triggered,” suggesting the malware had been activated.

It was then, the messages show, that “OMS discovered the attack,” which is estimated to have impacted some 200,000 patients and included “name, contact information and medical supplies or equipment ordered.”

Related News

• Ontario health agency informed of cyberattack more than 2 months before telling patients

Liberal MPP Adil Shamji, who first revealed the attack last June, prompting the government to confirm it, said the revelation that the cyberattack was ransomware is key.

“It’s alarming that the scale of the privacy breach, the personal health information breach, was as great as it is,” he said.

“Until this very moment, the people who’ve been impacted by this and have potentially had their information stolen by a bad actor have never known just how much at risk they actually were.”

The Ministry of Health said that OMS is a private company and that no ransom was demanded from either the province or Ontario Health atHome.

OMS did not respond ahead of publication, but posted a statement last year.

“We have determined that a limited amount of incomplete data was exfiltrated during the incident… there is no evidence that any personal financial information or critical health data was exfiltrated. There is also no evidence that any of the information has been misused,” part of the statement read.

“Safeguarding the personal health information entrusted to us is our top priority, and we are committed to supporting any customers who have concerns or may have been affected by this incident.”

In response to questions from Global News about why the government had not disclosed the exact nature of the incident, a Ministry of Health spokesperson suggested that saying it was a cyberattack was sufficient.

“From the outset it was made clear to Global News and other media outlets that the incident involving personal health information at one of Ontario Health atHome’s vendors, Ontario Medical Supply (OMS), was a cybersecurity attack,” they wrote.

“Reporting otherwise is factually incorrect and would be misleading to your readers.”

Ontario Health atHome did not respond to questions.

Timeline

• March 17, 2025: Earliest observed access into OMS systems.
• April 13, 2025: Ransomware “payload” is triggered.
• April 14, 2025: OMS’ systems fail, indicating a breach has taken place and Ontario Health atHome is informed.
• May 21, 2025: OMS confirms patient information has been compromised as part of the cyber incident.
• May 30, 2025: The Information and Privacy Commission is informed about the cyber incident, including potential patient data.
• June 27, 2025: Ontario Liberal MPP Adil Shamji reveals a cyber incident, the government confirms it and orders Ontario Health atHome to tell patients.
• March 9, 2026: Cyberattack confirmed to be ransomware.

There is a difference between a cyberattack — which can cover a variety of issues — and ransomware.

“A cyberattack could be anything from an attacker manually infiltrating an organization and stealing data or disrupting infrastructure,” Nyhuis explained.

“It could mean that they found an embedded threat — because a lot of times an attacker will embed themselves quietly and just wait because they want to come back later and do something — all the way to things like ransomware, where it just encrypts the entire infrastructure and takes it completely offline.”

Shamji said he was concerned that the government had not shared the fact that the attack was ransomware.

“They have an obligation to disclose, an obligation that they have failed to meet,” he said.

&copy 2026 Global News, a division of Corus Entertainment Inc.