What Happens When Hackers Steal Something You Can’t Change?

OTTAWA, ON — When a password is stolen, it can be changed. When a credit card is compromised, it can be cancelled. But what happens when attackers steal information that follows a person for life?

That question is at the center of a growing investigation after Northern Care Health Services confirmed a cybersecurity breach affecting approximately 1.9 million patients across Canada.

The healthcare network, which operates hospitals, clinics, and specialized treatment facilities across multiple provinces, disclosed this week that unauthorized actors gained access to portions of its environment through a trusted third-party vendor connection and remained undetected for nearly four months.

According to the organization, suspicious activity is believed to have begun in March 2026 and continued until investigators identified and contained the intrusion in June 2026.

The breach is believed to have exposed a significant volume of personal and medical information, including patient records, treatment histories, health card information, Social Insurance Numbers, passport information, insurance details, and other identifying records.

Most concerning to some experts is the reported exposure of biometric information used by portions of the healthcare network for patient verification and secure facility access.

A stolen bank card can be replaced. A stolen fingerprint cannot.

While Northern Care Health Services stated there is currently no evidence that patient records were altered or that care delivery was impacted, cybersecurity professionals say the incident raises questions far beyond the breach itself.

“Healthcare organizations don’t just store data,” said one cyber resilience advisor familiar with critical infrastructure security.

“They store identities. They store medical histories. They store information that follows people throughout their lives.”

For many security leaders, however, the most troubling detail is not what was stolen. It’s how long the attackers allegedly remained hidden. 

If the reported timeline is accurate, unauthorized activity occurred from March until June before being detected.

“The breach itself is concerning,” said another cybersecurity consultant.

“But the bigger question is how an organization entrusted with some of the country’s most sensitive information allegedly hosted unauthorized activity for months without detection.”

That question is now prompting broader discussions about preparedness across Canada’s healthcare sector.

For years, organizations have invested heavily in prevention-focused security controls, annual audits, compliance assessments, and technology upgrades. Yet experts argue that many organizations still spend far less time preparing for the moment those controls fail.

“If attackers can operate inside an environment for months, the conversation can no longer be limited to prevention,” the consultant said.

“The question becomes one of preparedness.”

Security leaders note that many organizations conduct annual reviews to validate security controls but rarely exercise how they would respond to a breach unfolding in real time.

Would they identify compromised vendor access? Would they know which systems were affected? Could they communicate with patients, regulators, and the public effectively? How quickly could leadership make decisions under pressure?

And perhaps most importantly:

Would they know an incident was already happening?

The breach is also drawing attention to what many experts consider one of the most significant challenges facing organizations today: third-party risk.

According to preliminary findings, investigators believe the intrusion originated through a trusted external vendor with authorized access to portions of the environment.

Experts say the breach reflects a growing reality across healthcare, finance, education, government, and critical infrastructure sectors.

Organizations are becoming increasingly dependent on trusted third parties, while attackers are becoming increasingly interested in compromising those relationships.

In many cases, threat actors are no longer targeting organizations directly. They’re targeting vendors, contractors, consultants, and service providers that already possess legitimate access.

“The front door isn’t always the easiest way in,” said one advisor.

“Sometimes attackers simply find someone who already has the keys.”

At the same time, cybersecurity professionals warn that the threat landscape itself is changing. Publicly available AI tools, automated reconnaissance platforms, credential marketplaces, and increasingly sophisticated social engineering campaigns have lowered barriers that once required specialized expertise.

While major breaches still require planning, resources, and opportunity, experts say organizations must prepare for a world where more people have access to more cyber capabilities than ever before.

“The attackers organizations prepare for today may not look like the attackers they face tomorrow,” one advisor explained.

“That’s why preparedness has to evolve.”

Many experts are now calling for more frequent tabletop exercises, breach simulations, third-party access reviews, and crisis management exercises designed to test people and processes rather than technology alone.

Because organizations can recover from outages. They can recover from financial losses. They can rebuild systems. But when attackers gain access to information people carry for life, the challenge becomes far more complicated.

The question is no longer whether organizations can survive a cyber incident.

The question is whether they are prepared to protect the things their patients, customers, students, and citizens can never replace.

Watching the perimeter — and what slips past it. — Ayaan Chowdhury