What happened?
On November 20, 2025, BioPharma Services Inc. (BPSI) experienced a ransomware attack that resulted in the unauthorized encryption of several servers. Upon discovering this incident, we initiated BPSI’s incident response protocols and deployed countermeasures to prevent further unauthorized access and isolated impacted systems. We also launched a thorough investigation into the cause and extent of the incident in collaboration with third-party cybersecurity experts. At the time, no evidence was uncovered of any personal health information being accessed or removed from BPSI’s network.
Unfortunately, on February 3, 2026, we discovered that data from the November 2025 incident was posted on a dark web site. We immediately downloaded and reviewed the data to identify what it contained and who may be impacted.
Our review indicated that the information involved included study participants’ name, home address, date of birth, email address, phone number, gender, income, race/ethnicity, and health information pertaining to screening for and participation in clinical trials facilitated by BPSI. The impacted data types vary by individual.
The vast majority of impacted study participants are Ontario residents but, from time to time, we have had a relatively small number of participants from other provinces participate in trials conducted in Ontario. Those individuals may have been impacted by this incident as well.
What has been done?
We have confidence in the countermeasures taken and the security of our systems and feel we have done everything necessary at this time to continue operating safely and protect the sensitive personal information in our custody. We are actively monitoring our systems to help defend against future attacks of this nature and have further enhanced our cybersecurity safeguards. We have implemented several advanced measures already and will continue evaluating opportunities to do so, where appropriate, on an ongoing basis. We take the privacy and security of the information in our care very seriously.
BPSI has reported this matter to the Information and Privacy Commissioner of Ontario as well as law enforcement.
What can I do?
It is always recommended to be vigilant and report any suspicious activity to the appropriate authorities. Tips and resources for protecting your identity are available at https://www.priv.gc.ca/en/privacy-topics/identities/identity-theft/guide_idt/.
Who should I contact if I have questions?
If you have questions regarding this notice, please contact us at privacy@well.company. When reaching out, kindly provide your name and phone number so we can assist you promptly.
While no action is required on your part as we have already reported the incident, you have the right to complain to the Information and Privacy Commissioner of Ontario (IPC). You can contact the IPC by phone at 416-326-3333 or toll-free at 1-800-387-0073, or by email at info@ipc.on.ca.
