BreachExchange mailing list archives
Law that hides massive health privacy breach from patients is useless
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 24 Jan 2014 17:05:09 -0700
http://www.calgaryherald.com/that+hides+massive+health+privacy+breach+from+patients+useless/9423777/story.html When nearly one-sixth of all Albertans have their medical information stolen, and nobody says a damn thing about it for nearly four months, a lot of people are going to be very angry. Fred Horne, for instance. He’s the health minister. He was also a patient at a Medicentres clinic, the group whose information technology “expert” left a laptop loaded with 620,000 patient records lying around. Horne says he’s not quite sure if his own visit fell within the 2.5-year time frame of this massive data leak. But he certainly is upset. And he makes the crucial point: “We need to think about who was left out of this equation — the patient.” Patients and the public should have been told within days — by the Edmonton police, the Medicentres group and most certainly by Alberta’s Information and Privacy Commission, which was informed right at the start but sat on the information. There are two big issues here — the leak itself and the long delay in any public disclosure, which shows a stunning disregard for patient rights. To Horne, it’s “mind boggling that a laptop computer with 620,000 patient records on it would be moving around and accessible. “And the fact that it was also unencrypted is unfathomable to me.” And to just about everyone else. It costs about $100 to encrypt a laptop so tightly that Edward Snowden couldn’t find his invitation to Russia. But this stolen computer, wherever it might be, is only password-protected. That security lapse seems to fall on this clinic group, Medicentres Canada Inc., which has nine walk-in locations in Calgary and 16 in Edmonton. They’ve been around for decades and provide good medical service for the legions who don’t have family doctors. Medicentres informed the police, and then the Information and Privacy office, headed by Commissioner Jill Clayton. This is where it gets so stupid the only response is maniacal laughter. This office, which reports to the legislature, is supposed to protect privacy when required, and release information when justified. But in this case, the most widespread privacy breach ever to affect Albertans was suppressed, by law. It’s not just that the public wasn’t told. The health minister wasn’t told. Alberta Health Services wasn’t told. The legislative services committee, to which Clayton reports, wasn’t told either. She didn’t say a word to this oversight committee even though, last Nov. 29, she testified before the MLAs, trumpeting her office’s many triumphs. “We expanded our Right to Know activities,” she said, with no hint of irony. “We also hosted Data Privacy Day as well.” MLA Wayne Cao, the PC chairman of the committee, doesn’t blame Clayton for keeping quiet. He wants the law changed, though, so that “every privacy breach is reported publicly, immediately.” Clayton says the bill that governs this episode — the Health Information Act — prohibits her absolutely from telling anyone anything, including the most general information such as: “620,000 Albertans have had their health data stolen.” It’s hard to see how that would violate anyone’s personal privacy. But Clayton views the law she works with as a blanket prohibition. The only people who can talk about such a breach are the “custodians” of the data, Clayton says. In this case, that’s Medicentres, which finally published small notices in newspapers on Thursday. Clayton didn’t investigate the breach at the start, because Medicentres reported the breach to her. If she had investigated, she could have released information. Now that the news is out, she’s investigating, because Horne asked her to. This is the point where government totally parts company with common sense. But a couple of things are clear. An information and privacy system that won’t reveal information about a huge violation of public privacy is pretty much useless. But that system comes first. Victims are, oh, four months behind.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Law that hides massive health privacy breach from patients is useless Audrey McNeil (Jan 29)