BreachExchange mailing list archives
B.C. Health Ministry data breach affects millions – 38,000 will receive letters
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Tue, 15 Jan 2013 13:07:13 -0500
http://www.timescolonist.com/news/local/b-c-health-ministry-data-breach-affects-millions-38-000-will-receive-letters-1.47803 The personal health data of more than five million British Columbians was improperly stored or accessed, said B.C. Health Minister Margaret MacDiarmid, Monday. The information was used by researchers for research only, MacDiarmid said, however regarding the most serious alleged privacy breach, letters will be sent out to 38,000 individuals this week. “The ministry has confirmed that there have been three instances of health data that has been inappropriately accessed and the public needs to be aware of these,” MacDiarmid said, in a press conference. The Health Ministry’s has been investigating allegations of conflict of interest, along with inappropriate conduct, data management and contracting out in its pharmaceutical services division since May. Ministry investigators are looking at alleged privcy breaches regarding the storing and sharing of provincial and federal health data as well as research grant practices between Health Ministry employees and researchers at the Univeristy of Victoria and University of B.C. In an update of the nine-month probe of “tens of thousands” of computer records dating back several years, MacDiarmid served up three examples of alleged wrongdoing Monday. The alleged breaches in June 2012 and October 2010 do not include personal names, social insurance numbers or financial information. However, they do include personal health numbers, birthdates, postal codes and in one case in which Statistics Canada data was being used, the breaches included information pertaining to individuals’ mental, physical and sexual health status. “I want to be very clear we have not found any evidence that any of this data has been used for anything but health research,” MacDiarmid said. In all three cases the health data was saved on portable storage devices - USB sticks, MacDiarmid said.“It was then shared with individuals without respecting the established permissions and protocols that are required by the ministry.” In October and November the Health Ministry asked for the information to be returned.. In two of the cases the health data was saved in a format accessible only with a specific software. The information was also presented in data sets and tables that could not likely be matched to a personal health number, MacDiarmid explained. As a result of the Health Ministry’s investigation, seven ministry employees have been fired. Their names were not released by the Health Ministry but have become public. On Jan. 8 one of those fired was found dead in his home. Foul play is not suspected an autopsy has not identified the cause. MacDiarmid presented three privacy breach examples: - June 2012: The health data of about 38,000 individuals was shared with a researcher. The data was linked to Statistics Canada community health survey information. The disclosure of the information breached an agreement with the federal government. - June 2012: A USB stick which contained a plain text file of 19 types of health data was provided to an authorized ministry contractor. The file included personal health numbers and health conditions - such as Alzheimers - for about five million individuals over several years. Against policy the data that was neither encrypted or made non identifiable. - October 2010: Health Ministry data containing the personal health numbers of about 21,000 people - with diagnostic information for about 262 chronic diseases conditions - was shared on a USB stick with a researcher without a request being approved. Information and Privacy Commissioner Elizabeth Denham will release her independent investigation in coming weeks. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- B.C. Health Ministry data breach affects millions – 38,000 will receive letters Erica Absetz (Jan 15)