BreachExchange mailing list archives
Health records compromised
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Wed, 17 Mar 2010 22:07:22 -0400
http://www.calgarysun.com/news/alberta/2010/03/17/13261481.html Alberta’s privacy commissioner has launched an investigation into the potential compromise of thousands of patient files at a northeast medical clinic. The University of Calgary Sunridge Medical Clinic at 3465 26 Ave. N.E. has sent letters to more than 4,700 patients informing them their personal information may have been accessed by unauthorized parties after two viruses infected one of the clinic’s computers. The computer affected was used to store copies of faxes — potentially including test results and specialist consultation forms — as well as medical legal reports and billing data. The viruses did not hit the computer storing electronic medical records. Staff at the facility learned about the viruses Jan. 8 and immediately updated the computer’s anti-virus software, which was out of date at the time, said Dr. Cathy MacLean, head of the U of C’s family medicine department. On Jan. 14, staff realized there was patient information on the computer and shut down the machine. For the next several weeks, they went through lists of patients to see which ones may have had their information compromised and should receive one of the letters mailed out Monday. MacLean said though much of the information stored on the computer was coded or in PDF form, she understands patients’ concerns. “One of the viruses is the type used by someone unauthorized to remotely control a computer,” she said, adding it’s believed the hacker was trying to disrupt business, not access records. The same clinic experienced a privacy scare last year, when staff learned information shared on a U-of-C-operated intranet was accessible to unauthorized third parties, though no system breach was ever confirmed. Wayne Wood, a spokesman for the Office of the Information and Privacy Commissioner of Alberta, said a formal investigation into the most recent incident has been launched, but is expected to take at least a month to complete. A similar problem unfolded last summer, said Wood, when the information of up to 11,500 patients may have been exposed in the Edmonton area after a virus attacked Alberta Health Services’ network as well as several employee computers. “Every once in awhile someone figures out how to get past the firewall,” said Wood. “It seems the bad guys are always two steps ahead in terms of technology.” Under the Health Information Act, any medical facilities that use electronic files must do a privacy impact assessment prior to operating the computer database, said Wood. Alberta Health Services’ IT assistance group was also asked to help with remediation in the situation, said AHS spokesman Don Stewart. Patients of the clinic are advised to be wary about the possibility of identity theft and are encouraged to contact the U of C’s Access and Privacy Coordinator at 403-220-3602 with any questions or concerns. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Health records compromised Jake Kouns (Mar 17)