CMHA York Region and South Simcoe is providing its clients with important information about the cyber incident it has been responding to since late October.
What happened
On October 31, 2025, we advised our staff and partner organizations that we were dealing with a cybersecurity incident discovered the day before. With help from experts, we secured our network and started investigating.
Early in the investigation, we learned that data had been stolen. We involved law enforcement and notified a small number of clients and staff based on evidence from a limited set of stolen files found on our network.
We have now discovered and analyzed evidence of the entire set of stolen files. Unfortunately, the stolen files include information about a number of clients and staff.
Privacy notification
Based on our analysis to date, we are notifying our clients of the following exposure.
| Likely affected groups | Information exposed includes*
|
| All clients who received our services from 2020 to present, except clients in our BounceBack, Clinician Assisted Bibliotherapy, and Structured Psychotherapy Programs
|
Full name, information about service(s) received, diagnosis information , clinical plan information
|
| Clients in our BounceBack, Clinician Assisted Bibliotherapy (CAB), and Structured Psychotherapy (OSP) programs who received services from 2023 to present
|
Full name, information about service(s) received, assessment information, clinical plan information |
| All clients who received services as part of our BounceBack program in 2018
|
Full name, information about services received
|
| *Please note that the amount of information exposed varies by individuals. Not all individuals have had each listed data element exposed. If you would like specifics about your exposure, you may contact us.
|
|
Affected employees will be notified directly by email and former employees will receive a mailed letter if there is no email on file.
We believe this is the extent of impacts to our clients and employees, however, if further investigation reveals additional exposure, we will provide further notifications as appropriate.
We also invite you to contact us at the email below, should you have any reason to believe your CMHA information has been misused.
We have reported this matter to the Information and Privacy Commissioner of Ontario. You can learn about your entitlement to complain at http://www.ipc.on.ca, though the IPC is already investigating this incident and has our full cooperation.
What this means to affected clients
We do not believe the stolen files are possessed by the criminals who attacked our network, nor do we believe you to be at risk.
To be cautious, you should always watch for the following.
- Messages that say they are from CMHA when you weren’t expecting them.
- Anyone asking you for personal or health information (like your address, date of birth, OHIP number, Social Insurance Number, or banking details).
- Emails, texts, or calls that sound urgent or pressure you to act fast.
- Links or attachments you did not ask for or did not expect.
- Names, phone numbers, or email addresses that don’t look right or feel different from usual.
- Websites that look odd or don’t match the normal CMHA website.
What we are doing
I am deeply upset that our organization has been targeted by criminals. This attack goes against everything we stand for and the trust our community places in us. It is unacceptable that those who seek to harm others have chosen to target the important work we do. Please know that we are doing everything we can to protect our systems, safeguard your information, and hold those responsible accountable.
If you have any questions about this notice, please contact PHIPAofficers@cmha-yr.on.ca.
Sincerely,
Rebecca Shields
CEO, CMHA York and South Simcoe
