A ransomware attack infiltrated Ontario Medical Supply (OMS), a vendor for Ontario Health atHome, in March 2025. The breach, which locked "a significant portion" of OMS servers, impacted an estimated 200,000 patients. Information compromised included names, contact details, and medical supply orders.
Concerns were raised as the full nature of the attack, specifically that it was ransomware, was not immediately disclosed by the province. Cybersecurity experts emphasize that rapid disclosure is crucial for affected individuals to protect their personal information. The incident caused weeks of internal confusion regarding the extent of data compromise. Ontario's Ministry of Health stated no ransom was demanded and that OMS reported no evidence of personal financial or critical health data exfiltration, nor misuse of information. However, critics argue the government failed in its obligation to fully disclose the attack's details to the public.