In this week's breach roundup, British Columbia Health Minister Margaret MacDiarmid has confirmed personal health data for millions of individuals was accessed for research purposes without authorization. Also, authorities are investigating a breach of Canada Student Loan borrower information after an unencrypted external hard drive was lost.
British Columbia Health Incident Revealed
British Columbia's Health Minister Margaret MacDiarmid has confirmed personal health data about millions of individuals was accessed for research purposes without authorization, according to a statement issued by the government of the Canadian province.
MacDiarmid said that in three cases, personal health data was inappropriately accessed, saved on USB drives and shared with researchers and other contractors without required permission.
In the first case, health data on more than 38,000 people was shared with an individual, according to the statement. The information shared included personal health numbers, gender, date of birth and postal codes, as well as information linked from Statistics Canada's Canadian Community Health Survey. Other exposed information included hospital admissions, discharges, medication history and medical services plan claims.
In the second case, a USB drive containing information on 19 types of health data, including personal health numbers, gender, age group, length of hospital stay and amounts spent on various categories of healthcare for more than 5 million individuals was provided to a ministry contractor, the statement said.
The third case involved the personal health numbers of about 21,000 people that were shared with a researcher without a data request being approved.
"There continues to be no evidence that information was accessed or used for purposes other than health research," MacDiarmid says. "However, the ministry takes its responsibility to safeguard British Columbian's health information seriously, and that is why a comprehensive investigation of electronic records was undertaken, including computer databases, storage devices and e-mail records going back several years."
The health ministry is following a recommendation from the Office of the Information and Privacy Commissioner to notify the 38,000 individuals in the first case, because the participants consented under the condition that the personal identifiable information was for research and would not be disclosed outside of the ministry.
Student Loan Borrowers' Info Lost
The Royal Canadian Mounted Police are investigating a breach of Canada Student Loan borrower information after an unencrypted external hard drive was lost.
Some 583,000 individuals were affected, according to the Vancouver Sun. Information on the drive includes names, social insurance numbers, dates of birth, contact information and loan balances for borrowers who got loans from 2000 to 2006.
An employee of Human Resources and Skills Development Canada discovered the drive was missing in early November, the Vancouver Sun reported. The agency discovered the missing hard drive while reviewing a separate incident involving a lost USB key that contained the personal information of more than 5,000 Canadians (see: Canada: Breach Sparks Investigation).
The drive was not approved by the federal government and wasn't encrypted, which is a requirement, according to the newspaper.
Stolen Device Exposes Youth, Employee Records
The Florida Department of Juvenile Justice is notifying more than 100,000 individuals that their information was exposed when an unencrypted device was stolen from a secure office.
The unspecified device wasn't password-protected as required under department policy, according to a statement from the state agency.
The device contained youth and employee records, although it's unclear what specific information was exposed, the statement explained. On Jan. 2, the department reported the theft to the Tallahassee Police Department, which is overseeing the investigation. A notice was also sent to the state's Office of Information Security and the Department of Law Enforcement, the statement said.
The department sent e-mails with a policy reminder and security instructions to all employees and contracted providers. It required the immediate encryption of all mobile devices that contain confidential data that's not already protected.
Hard Drives Bought Online Contained Police Info
Hard drives containing names and Social Security numbers of Macon, Ga. police officers were sold through an online auction site, according to The Telegraph newspaper. The number of officers affected has not been revealed.
The police department hard drives, which were thought to be wiped of information, also stored personal data from local businesses, the newspaper reports.
William Foster, who operates a computer repair business, purchased several police department computer components through the website GovDeals.com in July 2011, the newspaper says. When the police department gets rid of a computer, the Information Technology Department routinely cleans the hard drives before selling equipment online, police told the newspaper.