RSS Alerts

Share

More services

Related Stories

Top 5 Stories

News

BC healthcare breach affects 5 million Canadians

16 January 2013

Health data for more than five million British Columbians over the course of at least three incidents has been handled improperly by the Ministry of Health in its dealings with university researchers and contractors, violating the regulations for encryption required by law. The BC provincial government plans to notify more than 38,000 individuals of the breaches by letter.

Considering that Canada has a population of only 35 million, the numbers are significant.

As so often happens in these situations, this was a case of health data being saved on unencrypted USB sticks. In the most egregious case and the only one requiring that patients be notified, a thumb drive was given to a medical research contractor containing plain-text information like personal health numbers, gender, dates of birth, postal codes, medication history and Medical Services Plan claims, along with highly personal information from Statistics Canada’s Canadian Community Health Survey. The latter covers data about mental, physical and sexual health.

However, the data did not include names, social insurance numbers or financial information – and the ministry was quick to stress that it is unlikely that the information is being used for anything untoward.

"I take this very seriously, but I do feel that I can be reassuring," said Health Minister Margaret MacDiarmid, speaking to CTV. "We don't believe there is a great risk to individuals with this information because there is no evidence at all that the information has been used for anything other than health research."

The discovery of the wayward USB practices arose from an ongoing probe launched in September into research-grant practices between researchers and the ministry, she noted. Three specific data breaches have been discovered so far.

In October 2010, when a USB drive containing the health numbers of 21,000 people and the diagnostic information for 262 chronic diseases/conditions was given to a researcher without requests for the data being made through the proper channel.

In June 2012, the same month as the notification-triggering breach previously outlined, a staggering five million unencrypted plain-text records found their way into the hands of a contractor by way of USB stick. The information included personal health numbers, gender, age group, lengths of hospital stays and the amounts spent on various categories of health care.

MacDiarmid said the ministry is tracking the cost of the breach, noting she could not yet provide any firm numbers.

Seven employees have lost their jobs and two lawsuits are ongoing as a result of the probe. Malcolm Maclure, a director of research and evidence development with the ministry's pharmaceutical services division, has filed a defamation suit against his employer, while the recently fired Ron Mattson is suing MacDiarmid and the province for wrongful dismissal, wrongful withholding of pay and defamation.

BC Information and Privacy Commissioner Elizabeth Denham is also launching an independent investigation.

The USB vulnerability is an ongoing concern in healthcare. A recent report from the Ponemon Institute found that 75% of US healthcare facilities surveyed don't secure medical devices containing sensitive patient data, while 94% have leaked data in the last two years – largely because of staff negligence.

This article is featured in:
Data Loss  •  Encryption  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions | Privacy | Website Design| Reed Exhibitions. All rights reserved. Copyright © 2013
We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×