Ontario government home care vendor paid ransom to regain access to its servers: report

A medical supplies vendor, contracted by Ontario’s taxpayer-funded home care agency, paid out a ransom demand last year, after its systems were accessed and data belonging to as many as 200,000 patients was locked, according to an Ontario government agency report.

In April 2025, servers belonging to Ontario Medical Supply — which works with Crown agency Ontario Health atHome to deliver equipment to homecare patients — were locked after a ransomware attack.

A ransomware attack generally takes place when a malicious actor enters a system, stealing its files and locking them. A ransom is then demanded for the company to get access to their files again.

While the Ministry of Health initially said no ransom had been demanded from or paid by either the government or Ontario Health atHome, internal government documents reveal the full picture.

Emails and other records obtained by Global News using freedom of information law indicate that a ransom was paid — potentially by the vendor, OMS.

The revelation appears in a report submitted by Ontario Health atHome to the Information and Privacy Commissioner in late May 2025, with details of the ransomware attack along with confirmation that money was paid to the attackers to regain access.

“Other servers were unencrypted with the key provided upon payment of the ransom,” the report said.

Global News attempted to contact OMS by phone and email, but did not receive a response ahead of publication.

“We have determined that a limited amount of incomplete data was exfiltrated during the incident … there is no evidence that any personal financial information or critical health data was exfiltrated. There is also no evidence that any of the information has been misused,” the company said in a statement on its website after the attack last year.

“Safeguarding the personal health information entrusted to us is our top priority, and we are committed to supporting any customers who have concerns or may have been affected by this incident.”

Ontario Liberal MPP Adil Shamji has raised concerns about whether the ransom was paid and if it, even indirectly, involved taxpayer money.

“This constituted malicious actors with sinister interests shaking down our province and our health-care system,” he said. “(It) only underscores how swiftly the government should have acted in order to fulfil their legal obligation.”

The documents show that the ransomware is thought to have first entered the OMS system around March 17. It was activated on April 13, when the company’s servers were locked.

The report is not clear when the ransom was said to be paid to unlock the servers, but it took weeks for Ontario Health atHome and OMS to try and work out what data had been compromised.

By May 30, Ontario Health atHome submitted a report to the province’s privacy watchdog.

“OMS advised that a ransomware variant had been used to infiltrate encrypted servers storing electronic medical records,” the report, accessed using freedom of information laws, explained.

“Initially, OMS reported that no PHI appeared to be involved. Their subsequent investigation, supported by their cybersecurity experts, determined that there was PHI on the servers and that an ex-filtration of patient information was found.”

The report said that at the time OMS “had not been able to identify specific patients affected” by the breach.

&copy 2026 Global News, a division of Corus Entertainment Inc.