Families department criticized for 2024 cyberattack

The Manitoba ombudsman is criticizing the families department’s service provider and security policies after data involving vulnerable Manitobans was accessed in a 2024 cyberattack.

A report by the ombudsman’s office, released May 28, revealed 1,361 clients of Community Living disABILITY Services may have had their personal and health information stolen when a third-party provider was hacked on Oct. 8, 2024.

Community Living disABILITY Services supports eligible adults with intellectual disabilities.

The intrusion was detected and the families department was notified the next day. The source of the hack was not disclosed in the report.

The name of the service provider and the work it was doing for the families department were not disclosed, but the document notes it is a non-profit organization.

After the incident, the service provider in question implemented several security measures, the report states.

Following an investigation, the ombudsman’s office found the families department did not have specific security and audit policies for service providers to ensure personal information is stored securely.

“When Manitobans receive services through government programs and entrust their highly sensitive (personal information) and (personal health information) to a public body or trustee, they also rely on that public body or trustee to protect their information,” the report states.

The report also criticized the department for its tardy alert to potential victims, saying it did not notify affected clients and caregivers until Nov. 24, 2024.

While the department attributed the delay to an ongoing investigation into the hack and a Canada Post strike, which began Nov. 15 that year, the report says a warning should have gone out sooner through an indirect channel (such as a public notification) or the media — given the “acute sensitivity” of the information involved.

“An earlier notification would have allowed individuals and their caregivers to take protective steps at an earlier stage, including monitoring financial accounts and taking steps to secure their (social insurance numbers) and (personal health identification numbers),” the report states.

In its investigation, the ombudsman’s office found the families department relied on wording in its contract with the service provider as the mechanism for ensuring that organization adopted security safeguards. The department did not conduct any audits to make sure the company was protecting client data and didn’t have its own policy or guidelines on security requirements for vendors.

The families department told investigators it provided “guidance” to its service providers on privacy and security matters in 2022, and again in 2025.

However, the guidelines were general privacy awareness presentations and not specific enough for the work being done, the report says. “The absence of vendor and service provider management policies and security control guidelines has significant implications for families’ ability to fulfil its obligations under (legislation).”

The report issued five recommendations, which the families department formally accepted last week and has 60 days to implement, including: develop and communicate minimum standards for the protection of personal and health information; enforce framework for managing the cybersecurity risks associated with third-party service providers; review and update current contracts with updated privacy and cybersecurity expectations; develop and enforce an audit and oversight process for service providers handling personal information; and follow up with the service provider involved in the hack to ensure it implements security and safety mechanisms.

On Tuesday, Families Minister Nahanni Fontaine told the Free Press the department is working to implement the recommendations. She added cyberattacks are the new reality for government departments and organizations.

Since the 2024 hack, no privacy breaches have been reported as a result of cybersecurity incidents, a provincial spokesperson said.

The ombudsman’s office did not respond to queries about the investigation.

nicole.buffie@freepress.mb.ca