Health records compromised

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.calgarysun.com/news/alberta/2010/03/17/13261481.html

Alberta’s privacy commissioner has launched an investigation into the
potential compromise of thousands of patient files at a northeast
medical clinic.

The University of Calgary Sunridge Medical Clinic at 3465 26 Ave. N.E.
has sent letters to more than 4,700 patients informing them their
personal information may have been accessed by unauthorized parties
after two viruses infected one of the clinic’s computers.

The computer affected was used to store copies of faxes — potentially
including test results and specialist consultation forms — as well as
medical legal reports and billing data.

The viruses did not hit the computer storing electronic medical records.

Staff at the facility learned about the viruses Jan. 8 and immediately
updated the computer’s anti-virus software, which was out of date at
the time, said Dr. Cathy MacLean, head of the U of C’s family medicine
department.

On Jan. 14, staff realized there was patient information on the
computer and shut down the machine.

For the next several weeks, they went through lists of patients to see
which ones may have had their information compromised and should
receive one of the letters mailed out Monday.

MacLean said though much of the information stored on the computer was
coded or in PDF form, she understands patients’ concerns.

“One of the viruses is the type used by someone unauthorized to
remotely control a computer,” she said, adding it’s believed the
hacker was trying to disrupt business, not access records.

The same clinic experienced a privacy scare last year, when staff
learned information shared on a U-of-C-operated intranet was
accessible to unauthorized third parties, though no system breach was
ever confirmed.

Wayne Wood, a spokesman for the Office of the Information and Privacy
Commissioner of Alberta, said a formal investigation into the most
recent incident has been launched, but is expected to take at least a
month to complete.

A similar problem unfolded last summer, said Wood, when the
information of up to 11,500 patients may have been exposed in the
Edmonton area after a virus attacked Alberta Health Services’ network
as well as several employee computers.

“Every once in awhile someone figures out how to get past the
firewall,” said Wood.

“It seems the bad guys are always two steps ahead in terms of technology.”

Under the Health Information Act, any medical facilities that use
electronic files must do a privacy impact assessment prior to
operating the computer database, said Wood.

Alberta Health Services’ IT assistance group was also asked to help
with remediation in the situation, said AHS spokesman Don Stewart.

Patients of the clinic are advised to be wary about the possibility of
identity theft and are encouraged to contact the U of C’s Access and
Privacy Coordinator at 403-220-3602 with any questions or concerns.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php