Security Experts:

Health Data of More Than 5 Million Canadians Accessed In Multiple Breach Incidents

Healthcare data for 38,000 Canadians in British Columbia were inappropriately shared with a university researcher, a government official said Monday.

The British Columbia Health Ministry discovered that employees were bypassing proper storage and data transfer procedures to share healthcare data with university researchers from University of British Columbia and University of Victoria since May, according to Health Minister Margaret MacDiarmid. Over 5 million people have been affected across several incidents. The Health Ministry is notifying only the 38,000 associated with the first breach, in June 2012, because the incident was the most serious, MacDiarmid said.

The shared information included personal health numbers, gender, dates of birth, postal clothes, medication history and Medical Services Plan claims While other types of personally identifying information had been stripped out, each record was linked to Statistics Canada's community health survey information, according to local news Victoria Time-Colonist. The health survey data concerned individual's mental, physical, and sexual health.

“The ministry has confirmed that there have been three instances of health data that has been inappropriately accessed and the public needs to be aware of these,” MacDiarmid said.

The investigation is in progress, but there appears to be "a number of other breaches," the Globe and Mail reported.

In another incident in June 2012, employees handed over an unencrypted USB drive containing 16 types of health data relating to more than 5 million people over five years to a ministry contractor. The file included personal health numbers, gender, age group, length of hospital stay, and the amount of money spent on various categories of health care, MacDiarmid said. The contractor was authorized to receive non-identifiable data and encrypted identifiable data the data shared was neither encrypted nor unidentifiable, MacDiarmid said.

Another researcher received another USB stick with personal health information, such as diagnostic information for about 262 chronic diseases conditions and prescription history for some drugs, for about 21,000 people.

"It’s one thing for attackers to steal data with sophisticated malware, but to simply share vast quantities of private data inappropriately is inexcusable – and it’s also easily avoidable," said Mark Bower, a data security expert and vice-president at Voltage Security, told SecurityWeek.

None of the data had individual names, social insurance numbers, or personal financial information, MacDiarmid said. The exposed data was used only for healthcare purposes and there has been no sign of the data being used maliciously, but the ministry has fired seven employees who were involved for not following policies and procedures.

"Data breaches undermine citizens trust, lead to potential identity fraud, and involve complicated, costly remediation," Bower said.

The Health Ministry will be improving its information management procedures and has introduced a “mandatory privacy and data security training program for all employees," MacDiarmid said.

Considering sensitive information can easily and quickly be safeguarded using data-centric security products, Bower said it was a mystery why BC Health didn't "take that extra step" instead of "just writing handling rules that clearly weren't followed."

Tools to protect data are readily available, and even more so for a major government department dealing with millions of sensitive records, Bower said. Many large scale organizations can consistently and securely protect the data at rest as well as in transit, such as in applications and databases, to outsourcers, to cloud services, in Big Data, and in and out of the enterprise .

Data-centric security can be a business enabler, Bower noted. Live data is protected on production systems, data is de-identified for use on development systems, and datasets can be shared with third party research hospitals for analysis without compromising the integrity of the data or the research, he said.

"Quicker analysis from more data means better results, faster decision making, more value from data, and improved healthcare," Bower said.

In the coming weeks, Information and Privacy Commissioner Elizabeth Denham is expected to release the results of her own independent investigation examining the breaches as well as reviewing the Health Ministry's data-handling practices in relation to research. "Clearly a new approach to data privacy is needed," Bower said.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.