Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Health Data of More Than 5 Million Canadians Accessed In Multiple Breach Incidents

Healthcare data for 38,000 Canadians in British Columbia were inappropriately shared with a university researcher, a government official said Monday.

Healthcare data for 38,000 Canadians in British Columbia were inappropriately shared with a university researcher, a government official said Monday.

The British Columbia Health Ministry discovered that employees were bypassing proper storage and data transfer procedures to share healthcare data with university researchers from University of British Columbia and University of Victoria since May, according to Health Minister Margaret MacDiarmid. Over 5 million people have been affected across several incidents. The Health Ministry is notifying only the 38,000 associated with the first breach, in June 2012, because the incident was the most serious, MacDiarmid said.

The shared information included personal health numbers, gender, dates of birth, postal clothes, medication history and Medical Services Plan claims While other types of personally identifying information had been stripped out, each record was linked to Statistics Canada’s community health survey information, according to local news Victoria Time-Colonist. The health survey data concerned individual’s mental, physical, and sexual health.

“The ministry has confirmed that there have been three instances of health data that has been inappropriately accessed and the public needs to be aware of these,” MacDiarmid said.

The investigation is in progress, but there appears to be “a number of other breaches,” the Globe and Mail reported.

In another incident in June 2012, employees handed over an unencrypted USB drive containing 16 types of health data relating to more than 5 million people over five years to a ministry contractor. The file included personal health numbers, gender, age group, length of hospital stay, and the amount of money spent on various categories of health care, MacDiarmid said. The contractor was authorized to receive non-identifiable data and encrypted identifiable data the data shared was neither encrypted nor unidentifiable, MacDiarmid said.

Another researcher received another USB stick with personal health information, such as diagnostic information for about 262 chronic diseases conditions and prescription history for some drugs, for about 21,000 people.

“It’s one thing for attackers to steal data with sophisticated malware, but to simply share vast quantities of private data inappropriately is inexcusable – and it’s also easily avoidable,” said Mark Bower, a data security expert and vice-president at Voltage Security, told SecurityWeek.

Advertisement. Scroll to continue reading.

None of the data had individual names, social insurance numbers, or personal financial information, MacDiarmid said. The exposed data was used only for healthcare purposes and there has been no sign of the data being used maliciously, but the ministry has fired seven employees who were involved for not following policies and procedures.

“Data breaches undermine citizens trust, lead to potential identity fraud, and involve complicated, costly remediation,” Bower said.

The Health Ministry will be improving its information management procedures and has introduced a “mandatory privacy and data security training program for all employees,” MacDiarmid said.

Considering sensitive information can easily and quickly be safeguarded using data-centric security products, Bower said it was a mystery why BC Health didn’t “take that extra step” instead of “just writing handling rules that clearly weren’t followed.”

Tools to protect data are readily available, and even more so for a major government department dealing with millions of sensitive records, Bower said. Many large scale organizations can consistently and securely protect the data at rest as well as in transit, such as in applications and databases, to outsourcers, to cloud services, in Big Data, and in and out of the enterprise .

Data-centric security can be a business enabler, Bower noted. Live data is protected on production systems, data is de-identified for use on development systems, and datasets can be shared with third party research hospitals for analysis without compromising the integrity of the data or the research, he said.

“Quicker analysis from more data means better results, faster decision making, more value from data, and improved healthcare,” Bower said.

In the coming weeks, Information and Privacy Commissioner Elizabeth Denham is expected to release the results of her own independent investigation examining the breaches as well as reviewing the Health Ministry’s data-handling practices in relation to research. “Clearly a new approach to data privacy is needed,” Bower said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.