Law that hides massive health privacy breach from patients is useless

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.calgaryherald.com/that+hides+massive+health+privacy+breach+from+patients+useless/9423777/story.html

When nearly one-sixth of all Albertans have their medical information
stolen, and nobody says a damn thing about it for nearly four months, a lot
of people are going to be very angry.

Fred Horne, for instance.

He’s the health minister. He was also a patient at a Medicentres clinic,
the group whose information technology “expert” left a laptop loaded with
620,000 patient records lying around.

Horne says he’s not quite sure if his own visit fell within the 2.5-year
time frame of this massive data leak. But he certainly is upset.

And he makes the crucial point: “We need to think about who was left out of
this equation — the patient.”

Patients and the public should have been told within days — by the Edmonton
police, the Medicentres group and most certainly by Alberta’s Information
and Privacy Commission, which was informed right at the start but sat on
the information.

There are two big issues here — the leak itself and the long delay in any
public disclosure, which shows a stunning disregard for patient rights.

To Horne, it’s “mind boggling that a laptop computer with 620,000 patient
records on it would be moving around and accessible.

“And the fact that it was also unencrypted is unfathomable to me.”

And to just about everyone else. It costs about $100 to encrypt a laptop so
tightly that Edward Snowden couldn’t find his invitation to Russia.

But this stolen computer, wherever it might be, is only password-protected.

That security lapse seems to fall on this clinic group, Medicentres Canada
Inc., which has nine walk-in locations in Calgary and 16 in Edmonton.

They’ve been around for decades and provide good medical service for the
legions who don’t have family doctors.

Medicentres informed the police, and then the Information and Privacy
office, headed by Commissioner Jill Clayton.

This is where it gets so stupid the only response is maniacal laughter.

This office, which reports to the legislature, is supposed to protect
privacy when required, and release information when justified.

But in this case, the most widespread privacy breach ever to affect
Albertans was suppressed, by law.

It’s not just that the public wasn’t told.

The health minister wasn’t told.

Alberta Health Services wasn’t told.

The legislative services committee, to which Clayton reports, wasn’t told
either.

She didn’t say a word to this oversight committee even though, last Nov.
29, she testified before the MLAs, trumpeting her office’s many triumphs.

“We expanded our Right to Know activities,” she said, with no hint of
irony. “We also hosted Data Privacy Day as well.”

MLA Wayne Cao, the PC chairman of the committee, doesn’t blame Clayton for
keeping quiet.

He wants the law changed, though, so that “every privacy breach is reported
publicly, immediately.”

Clayton says the bill that governs this episode — the Health Information
Act — prohibits her absolutely from telling anyone anything, including the
most general information such as: “620,000 Albertans have had their health
data stolen.”

It’s hard to see how that would violate anyone’s personal privacy. But
Clayton views the law she works with as a blanket prohibition.

The only people who can talk about such a breach are the “custodians” of
the data, Clayton says. In this case, that’s Medicentres, which finally
published small notices in newspapers on Thursday.

Clayton didn’t investigate the breach at the start, because Medicentres
reported the breach to her.

If she had investigated, she could have released information.

Now that the news is out, she’s investigating, because Horne asked her to.

This is the point where government totally parts company with common sense.

But a couple of things are clear.

An information and privacy system that won’t reveal information about a
huge violation of public privacy is pretty much useless.

But that system comes first. Victims are, oh, four months behind.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!