Alert – Aetonix Cybersecurity Incident
Attention HIROC Subscribers, High Priority
Please share this alert with your Information Technology (IT) team to ensure that potential third-party cybersecurity risks are identified and addressed in a timely manner.
As your proactive partner in safety, HIROC is sharing the following important update:
Several HIROC Subscribers have been impacted by a recent cybersecurity incident experienced by Aetonix. Aetonix has reported a potential incident involving data uploaded to Aetonix’s ‘aTouchAway platform’ on or before February 23, 2023. Data of Canada-based healthcare providers, patients and/or their caregivers may have been compromised.
Note: Aetonix is a third-party provider of a tool called aTouchAway. This technology supports remote patient care through virtual communications, remote monitoring of patients, secure messaging, audio/video conferencing, etc.
HIROC recommends Subscribers take the following immediate actions:
1. Forward this alert to your Chief Information Officer, Chief Privacy Officer and Information Technology team immediately to investigate and understand if your organization has been impacted by this incident.
If your organization uses Aetonix, please reach out to HIROC and report this incident as a claim as soon as possible. If you have already reported this incident, please continue to keep us informed as you learn more about this incident.
2. If you haven’t already done so, take a quick inventory of your critical information systems that are managed by third-parties and take necessary proactive measures to manage third-party risks. These measures include, but are not limited to:
- Following a thorough screening process involving security, privacy and service delivery risk assessments prior to onboarding a vendor.
- Obtaining proof of annual or ongoing third-party attestation of industry-recognized information security principles and certifications (e.g., SOC 2, ISO, NIST, etc.).
- Verifying statement of work (SOW) on a quarterly basis, reviewing open/outstanding tickets and sharing privacy/security reminders with each third-party provider.
- Understanding how your data is transported, stored, used and protected (i.e. test environments should have the same level of security and privacy controls as the production environment, and the use of production data for testing should be limited.).
3. Ensure those responsible for information security at your organization subscribe to security advisory services such as the ones noted below:
- Canadian Centre for Cyber Security, Government of Canada
- Cyber Security Education & Centre of Excellence Unit, Ontario Government
We Are Here for You
In the event of a cyber loss, please contact Marnie MacPhee, Director of Claims at firstname.lastname@example.org (416-730-3056), or HIROC’s Claims Department at email@example.com.
If you have any questions about this alert, please reach out to Kopiha Nathan, HIROC's Lead, Privacy and Compliance Officer, directly at firstname.lastname@example.org (416-400-7971).
Thank you for your attention to this matter.