B.C. Health Ministry data breach affects millions – 38,000 will receive letters

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.timescolonist.com/news/local/b-c-health-ministry-data-breach-affects-millions-38-000-will-receive-letters-1.47803

The personal health data of more than five million British Columbians
was improperly stored or accessed, said B.C. Health Minister Margaret
MacDiarmid, Monday.

The information was used by researchers for research only, MacDiarmid
said, however regarding the most serious alleged privacy breach,
letters will be sent out to 38,000 individuals this week.

“The ministry has confirmed that there have been three instances of
health data that has been inappropriately accessed and the public
needs to be aware of these,” MacDiarmid said, in a press conference.

The Health Ministry’s has been investigating allegations of conflict
of interest, along with inappropriate conduct, data management and
contracting out in its pharmaceutical services division since May.

Ministry investigators are looking at alleged privcy breaches
regarding the storing and sharing of provincial and federal health
data as well as research grant practices between Health Ministry
employees and researchers at the Univeristy of Victoria and University
of B.C.

In an update of the nine-month probe of “tens of thousands” of
computer records dating back several years, MacDiarmid served up three
examples of alleged wrongdoing Monday.

The alleged breaches in June 2012 and October 2010 do not include
personal names, social insurance numbers or financial information.

However, they do include personal health numbers, birthdates, postal
codes and in one case in which Statistics Canada data was being used,
the breaches included information pertaining to individuals’ mental,
physical and sexual health status.

“I want to be very clear we have not found any evidence that any of
this data has been used for anything but health research,” MacDiarmid
said.

In all three cases the health data was saved on portable storage
devices - USB sticks, MacDiarmid said.“It was then shared with
individuals without respecting the established permissions and
protocols that are required by the ministry.”

In October and November the Health Ministry asked for the information
to be returned..

In two of the cases the health data was saved in a format accessible
only with a specific software. The information was also presented in
data sets and tables that could not likely be matched to a personal
health number, MacDiarmid explained.

As a result of the Health Ministry’s investigation, seven ministry
employees have been fired. Their names were not released by the Health
Ministry but have become public. On Jan.

8 one of those fired was found dead in his home. Foul play is not
suspected an autopsy has not identified the cause.

MacDiarmid presented three privacy breach examples:

- June 2012: The health data of about 38,000 individuals was shared
with a researcher. The data was linked to Statistics Canada community
health survey information. The disclosure of the information breached
an agreement with the federal government.

- June 2012: A USB stick which contained a plain text file of 19 types
of health data was provided to an authorized ministry contractor. The
file included personal health numbers and health conditions - such as
Alzheimers - for about five million individuals over several years.
Against policy the data that was neither encrypted or made non
identifiable.

- October 2010: Health Ministry data containing the personal health
numbers of about 21,000 people - with diagnostic information for about
262 chronic diseases conditions - was shared on a USB stick with a
researcher without a request being approved.

Information and Privacy Commissioner Elizabeth Denham will release her
independent investigation in coming weeks.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.