Ontario investigating potential security breach associated with COVID-19 vaccine portal
TORONTO -- Ontario authorities are investigating reports of a possible security breach associated with the provincial COVID-19 vaccine booking portal.
A spokesperson for the Solicitor General confirmed the government has received multiple reports of spam text messages received by individuals who scheduled appointments or accessed vaccine certificates through the COVID-9 immunization system.
"Ontarians should be aware these texts are financial in nature and that the government will never conduct a financial transaction through these methods," Marion Ringuette said in a statement.
"The government takes allegations of fraud very seriously and is aggressively investigating these reports with our partner ministries, the Ontario Provincial Police (OPP) and others."
The OPP has confirmed to CTV News Toronto that it is investigating reports of "spam text messages from individuals who have utilized the COVID-19 booking system for appointments or to access vaccine certificates."
"As this investigation is ongoing, it would not be appropriate to comment further at this time," Bill Dickson, Corporate Communications Manager with the OPP, said.
One Ontario resident told CTV News Toronto that she received two text messages addressed to her 12-year-old daughter on Nov. 14.
"We get phishing text messages all the time from different things, but this one was interesting because it was my daughter, who was 12 years old. It was in her name and it was really just asking us to reply to accept money," Carla Embleton said.
Embleton said she became concerned that her daughter's personal information may have been compromised.
"What really triggered it for me was the spelling of her name. It was her name, her full name with middle name, and her middle name was fully capitalized and the only time I've ever seen that was on her vaccine passport."
Mike Primeau from Ottawa received a similar text to his cell phone a few days later, also addressed to his son. In the text, Primeau is told that he has been sent "a reimbursement of $163.36" and is asked to reply to receive the payment.
Primeau told CTV News Toronto that he asked his son if they had registered for anything together that could have led to the phishing text.
"At that time he couldn't think of anything, any source of it," he said.
After seeing media reports about the potential breach, Primeau realized the text could be related as his son's full name, including his middle name, was used. While his son was registered to get the vaccine over the summer, the entire family did log back into the system to download their proof of vaccination when the provincial mandate came into effect.
"It worries me more around, you know, what kind of information could they gather from that first name, last name, date of birth, health card," he said, while adding that he knows those responsible for the website are doing everything they can to keep it secure. "Maybe there's healthcare fraud involved, but as far as using (the portal) again, I probably would."
On social media, multiple people have reported receiving text messages with either their full names or the full names of their children. However, it seems like the requests for each text are slightly different.
It is unclear when officials were first notified of the potential breach, but Premier Doug Ford told reporters Monday that he received a briefing about the investigation over the weekend.
"I've had a conversation with my chief of staff, principal secretary and secretary of cabinet and they have all hands on deck on all our ministry especially or Ministry of Health, and I'm confident with the group that we have down there," Ford said, adding that "cybersecurity is so important."
"They're getting more technical, more sophisticated every single day."
News of the potential security breach came as Ontario announced that COVID-19 vaccine appointments will become available for children between the ages of five and 11 as of Tuesday.
Families will be able to book appointments through the COVID-19 vaccine portal, as well as other avenues such as pharmacies and primary care offices.
While asked about the incident by a reporter, Solicitor General Sylvia reiterated Ford's confidence in the system.
"This investigation, and any investigation when we hear of potential breaches, we investigate thoroughly," Jones said.
"We are doing that now. We have confidence in the booking system that there are no concerns and as I said, we will continue to investigate all issues as we hear from local individuals."