It was early June when representatives of the Ford government’s home care agency penned an increasingly frustrated and urgent legal letter to one of its vendors.
Weeks after a ransomware attack, officials were still trying to work out how many Ontarians had been impacted.
“Just want to reiterate the urgency around the numbers,” a representative of Ontario Health atHome wrote in an email on June 9, 2025.
“We really need to understand our actual exposure (not the potential exposure). Anything you and your client can do to expedite and provide this information sooner rather than later would be appreciated.”
Two months earlier, the company — Ontario Medical Supply (OMS) — had informed Ontario Health atHome its systems had been breached.
The breach would turn out to be a ransomware attack which impacted some 200,000 home care patients in Ontario. A government report suggests OMS ultimately paid the ransom demanded to get access to its servers again.
Despite not knowing for weeks how many patients were impacted, the Ministry of Health did not reveal the cyberattack until an Ontario Liberal MPP sounded the alarm in late June 2025.
Before that, hundreds of pages of internal emails and reports, obtained by Global News using freedom of information laws, reveal a tense scramble to see what data had been compromised and what should be done.
Risk initially assessed as ‘low’
The documents show ransomware likely accessed servers used by OMS without being noticed in mid-March 2025, remaining dormant for a month before it triggered its “payload” on April 13.
Get weekly health news
Receive the latest medical news and health information delivered to you every Sunday.
When the malware was activated, it locked a “significant portion” of the company’s servers, demanding a payment to return access.
The day after the attack, OMS told Ontario Health atHome it had suffered a breach and was taking steps to address it. The messages suggest that, initially at least, the breach was not seen as a major risk.
At one point, a note from OMS said that, “based on the controls that are in place, we have assessed the risk to Ontario Health and provisional healthcare services as low.”
Days after being told about the attack, Ontario Health atHome started asking questions.
According to a letter from its lawyers, the agency requested details of the attack. OMS told them it would only answer if “questions were put in writing.”
For more than two weeks after the attack took place, it appears neither OMS nor Ontario Health atHome thought personal health records had been accessed. Then, in early May, OMS confirmed public health information “may have been exfiltrated.”
The first disclosure that patient information could have been involved came on May 6. It wasn’t until May 21, according to the letter and the provincial government, that OMS confirmed public health data was definitely taken.
Unclear what data was impacted
Even after learning that patient data had been impacted, OMS appeared to remain comfortable that the situation was under control.
“We are confident that this threat has been contained and eradicated, and that we now have exceptional security safeguards in place, providing excellent visibility and protection,” an email from its CEO to Ontario Health atHome explained.
Officials at the agency pushed back, asking for specifics on how many patients had potentially had their data stolen and their identities, so they could be contacted.
“It is difficult to pinpoint exact patients, but we do know that files containing basic patient data would have been compromised,” OMS’ CEO wrote on May 23. “Our estimate is that the number impacted is 200,000. We don’t believe we will get to a more precise figure.”
The back-and-forth continued for weeks. From the moment the attack was disclosed, OMS had been kept out of Ontario Health atHome’s systems, as cybersecurity staff worked to see if it was safe to reconnect the vendor.
The emails obtained by Global News come from the government agency and chronicle its internal frustration with how OMS appeared to be handling the cyberattack. Snippets suggest the company was also struggling with Ontario Health atHome’s response.
On June 11, the CEO of OMS wrote to Ontario Health atHome to complain that his company had “provided all the necessary remedial work” after the ransomware attack, and not being able to integrate with the government’s systems was hurting patient care.
“Does the leadership of OHaH understand that your IT is requiring that we provide information on stockouts and similar notifications as a critical item to reconnection when we haven’t been able to provide this since April 13th?” the CEO wrote in an email.
The letter from Ontario Health atHome’s lawyers, sent two days after the reconnection complaint, said the agency still had no real idea of how many patients were impacted.
“To date, and despite multiple requests on the part of OHaH, OMS has failed to provide a breakdown of the ‘approximately 200,000′ individuals affected by the Incident, including the number of OHaH patients impacted, and/or any other details about the specific personal information and/or (personal health information) that has been compromised,” an extract read.
The breach was revealed two weeks later by Ontario Liberal MPP Adil Shamji.
To date, the government has still not offered a more detailed figure than 200,000 patients. The value of the ransom also remains unknown.
OMS did not respond to questions ahead of this story, while the Ministry of Health did not address Global News’ questions in a statement.
© 2026 Global News, a division of Corus Entertainment Inc.
