‘Data breaches now threaten trust, safety, and the resilience of essential services, far beyond financial penalties’
Canada’s health care and social services sectors are facing an urgent cybersecurity crisis, with attacks on public systems escalating in both sophistication and frequency, according to a recent report.
Data breaches now threaten not only financial stability, but also the trust, safety, and resilience of essential services across the country, note the Canadian Cybersecurity Network (CCN) —along with Accerta and Darktrace—in their report.
In fact, 11% of cyberattacks in Canada last year targeted the public sector, the report notes, citing data from PwC.
“Cybersecurity is no longer just a technical concern—it has become Canada’s new health care emergency,” says Elias Diab, vice president of cybersecurity at Accerta. “As attacks on public systems increase, data breaches now threaten trust, safety, and the resilience of essential services, far beyond financial penalties.”
A complex, vulnerable ecosystem
Canada’s health care and social services ecosystem is broad and complex, heavily reliant on digital platforms to deliver programs supporting autism, disability, dental and mental health, and low-income populations.
Accerta points out that government agencies face significant challenges, including legacy systems, constrained budgets, and overlapping vulnerabilities across departments. “The dependence on digital platforms, combined with inter-jurisdictional data sharing, creates a sprawling attack surface vulnerable to disruption,” Diab notes.
The need to protect sensitive health data in social programs is now central to the challenge. While electronic records and mobile health apps expand access, they also introduce new vulnerabilities. Accerta recommends that best practices such as end-to-end encryption, auditing, and Zero Trust architecture be adapted to environments where multiple service providers manage deeply personal information.
Canadian privacy and security requirements vary by sector, but all impose strict obligations to protect personal and health information. Diab highlights that compliance is not just a legal requirement but a foundational element of trust and resilience in the digital age.
The true cost of a breach
The report warns that the true cost of a data breach goes far beyond financial penalties.
“When social and health care systems are compromised, the damage is not confined to balance sheets, it undermines the lives and dignity of citizens,” Accerta writes. The consequences include erosion of public trust, jeopardised safety and eligibility for benefits, operational paralysis, and organisational strain as resources are diverted from care to crisis management.
Accerta stresses that modernisation is no longer optional, but a “strategic imperative.” The report calls for a “secure-by-design approach that embeds protection into every layer of people, process, technology, and data.” This includes encryption of mobile app data, secure APIs for inter-agency collaboration, and mandatory security audits for third-party vendors. “Embedding audit trails into inter-agency exchanges improves transparency and accountability, reducing both technical and ethical risks,” Accerta advises.
The report also emphasises the importance of administrative and physical safeguards, such as robust data-sharing agreements, continuous monitoring, and secure disposal protocols, to reinforce accountability and resilience.
One survey commissioned by the Insurance Bureau of Canada (IBC) has found that small and medium-sized businesses (SMEs) across the country may be dangerously underestimating their exposure to cyber threats—even as the financial consequences of cyber attacks continue to rise.
Growing risks from connected devices
The same report cites a 2025 study—a global analysis of more than 2.25 million Internet-of-Medical-Things (IoMT) devices and 647,000 OT devices across 351 hospitals and health care delivery organisations—which found that 89% of organisations had the top 1% riskiest IoMT devices on their networks—devices with known exploited vulnerabilities (KEVs) and insecure internet connectivity.
Another study cited in the report notes that 94% of enterprises discover endpoints they didn’t know existed.
“In some environments, scans reveal that as many as one in five devices are unmanaged.”
“For Canada’s health care and social services, cybersecurity is no longer optional, it is foundational,” reads part of the report from CCN, Accerta and Darktrace. The organisations urge all stakeholders to recognise that protecting sensitive health data is a shared responsibility that requires collaboration, vigilance, and innovation.
While the adoption of AI tools by government offices is progressing at a slow pace, public workers’ use of the technology is a cause for concern, according to a KPMG report. Overall, just 22% of Canadian public sector organisations have adopted AI. Half of the public servants who use AI in their jobs rely on publicly available AI tools.
