Canadian Breaches Lead Roundup

Health Data Shared with Researchers without Authorization

By , January 17, 2013.
Canadian Breaches Lead Roundup

In this week's breach roundup, British Columbia Health Minister Margaret MacDiarmid has confirmed personal health data for millions of individuals was accessed for research purposes without authorization. Also, authorities are investigating a breach of Canada Student Loan borrower information after an unencrypted external hard drive was lost.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

British Columbia Health Incident Revealed

British Columbia's Health Minister Margaret MacDiarmid has confirmed personal health data about millions of individuals was accessed for research purposes without authorization, according to a statement issued by the government of the Canadian province.

MacDiarmid said that in three cases, personal health data was inappropriately accessed, saved on USB drives and shared with researchers and other contractors without required permission.

In the first case, health data on more than 38,000 people was shared with an individual, according to the statement. The information shared included personal health numbers, gender, date of birth and postal codes, as well as information linked from Statistics Canada's Canadian Community Health Survey. Other exposed information included hospital admissions, discharges, medication history and medical services plan claims.

In the second case, a USB drive containing information on 19 types of health data, including personal health numbers, gender, age group, length of hospital stay and amounts spent on various categories of healthcare for more than 5 million individuals was provided to a ministry contractor, the statement said.

The third case involved the personal health numbers of about 21,000 people that were shared with a researcher without a data request being approved.

"There continues to be no evidence that information was accessed or used for purposes other than health research," MacDiarmid says. "However, the ministry takes its responsibility to safeguard British Columbian's health information seriously, and that is why a comprehensive investigation of electronic records was undertaken, including computer databases, storage devices and e-mail records going back several years."

The health ministry is following a recommendation from the Office of the Information and Privacy Commissioner to notify the 38,000 individuals in the first case, because the participants consented under the condition that the personal identifiable information was for research and would not be disclosed outside of the ministry.

Student Loan Borrowers' Info Lost

The Royal Canadian Mounted Police are investigating a breach of Canada Student Loan borrower information after an unencrypted external hard drive was lost.

Some 583,000 individuals were affected, according to the Vancouver Sun. Information on the drive includes names, social insurance numbers, dates of birth, contact information and loan balances for borrowers who got loans from 2000 to 2006.

An employee of Human Resources and Skills Development Canada discovered the drive was missing in early November, the Vancouver Sun reported. The agency discovered the missing hard drive while reviewing a separate incident involving a lost USB key that contained the personal information of more than 5,000 Canadians (see: Canada: Breach Sparks Investigation).

The drive was not approved by the federal government and wasn't encrypted, which is a requirement, according to the newspaper.

Stolen Device Exposes Youth, Employee Records

The Florida Department of Juvenile Justice is notifying more than 100,000 individuals that their information was exposed when an unencrypted device was stolen from a secure office.

The unspecified device wasn't password-protected as required under department policy, according to a statement from the state agency.

The device contained youth and employee records, although it's unclear what specific information was exposed, the statement explained. On Jan. 2, the department reported the theft to the Tallahassee Police Department, which is overseeing the investigation. A notice was also sent to the state's Office of Information Security and the Department of Law Enforcement, the statement said.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE FBI: ISIS Backers Deface Websites

Islamic State sympathizers are exploiting a vulnerability in a WorldPress Content Management System...

Latest Tweets and Mentions

ARTICLE FBI: ISIS Backers Deface Websites

Islamic State sympathizers are exploiting a vulnerability in a WorldPress Content Management System...

The ISMG Network