Prescription Information Network BreachedBritish Columbia's PharmaNet System Accessed
Canadian authorities are investigating whether a hacker or healthcare insider used a physician's credentials to gain unauthorized access to a British Columbia prescription information network, accessing information on about 1,600 patients.
In a statement about the breach issued on July 11, the British Columbia Ministry of Health says that staff of its PharmaNet network conducted a forensic audit after noticing suspicious activity on the system. The audit discovered that between March 9 and June 19, an unknown, unauthorized person used a doctor's PharmaNet account without the physician's knowledge to access the personal information of about 1,600 patients.
The information inappropriately accessed includes patients' names, dates of birth, addresses, telephone numbers, and personal health numbers - BC Services Card or Care Card numbers. For 34 individuals, the unauthorized access also involved looking at medication histories.
Doctors throughout British Columbia use the PharmaNet network to check the drug histories of patients, enter prescription information and check for potential drug interactions before writing prescriptions, a spokesman in the B.C. ministry of health tells Information Security Media Group. While PharmaNet links all B.C. pharmacies to a central set of data systems, it is not used by healthcare providers to transmit and process prescriptions electronically to pharmacies, which ensures that the unauthorized individual cannot use the system to order or obtain fraudulent prescriptions, he says. Prescriptions are written out separately for patients to present to pharmacists, who enter the dispensing information into the PharmaNet system, he explains.
"It's still being determined whether the person who accessed the system worked for the doctor or is someone external," the spokesman tells ISMG.
Every prescription dispensed in British Columbia is entered into PharmaNet. In 2007, more than 47 million prescriptions were processed on PharmaNet and the system flagged more than 24 million potential drug interactions, says the ministry in its statement.
The Ministry of Health and the British Columbia government's Office of the Chief Information Officer are investigating the incident, but authorities do not expect the number of breach victims to rise, the spokesman says. The incident was reported to the government's Information Privacy Commissioner, and the Ministry of Health is contacting all affected individuals by letter, offering free credit protection services.
"While this privacy breach did not include banking information, enough information was accessed to be used for identity theft," the ministry's statement says. "The ministry encourages affected people to keep a close eye on their bank accounts, credit cards, and online identity and services."
Additionally, those affected are being encouraged to contact their local pharmacy to put a "keyword" on their PharmaNet profile to notify pharmacists. "They can also request, through Health Insurance BC, a Medical Services Plan alert, which prompts health professionals to ask for a second piece of identification when a person uses his or her personal health number."
Unauthorized access incidents underscore the importance of active security monitoring and regular security assessments, says Dan Berger, CEO of Redspin, a data security services firm. "Without sophisticated security monitoring in place, it can be very difficult to detect an attack" and other intrusive breaches, he says.
Health Data Targeted
The healthcare sector, as well as government sector systems handling health-related data, are increasingly targets of cybercriminals because of the information those systems contain, including health insurance identification numbers in the U.S. and elsewhere (see Why Hackers Are Targeting Health Data).
The FBI estimates that $80 billion of the $2.2 trillion a year spent on healthcare in the United States is associated with fraud, with half of that fraud tied to medical ID theft, says Bill Barr, a development director at the Medical ID Fraud Alliance.