Capital Health (Canada), Stolen Laptops, 20,000+ Affected
Technorati Tag: Security Breach
Date Reported:
8/2/07
Organization:
Capital Health (Canada)
Contractor/Consultant:
None
Number Affected:
20,000+
Types of Data:
Name, Canadian health card number, address, reason for hospital admittance.
Breach Description:
Four laptop computers were stolen from staff desks while secured to the desks with cable lock devices in a secure building. The thieves were able to enter the building, dislodge the cable locks and remove the computers during evening hours of May 8th.
Reference URL:
www.capitalhealth.ca/NewsAndEvents/NewsReleases/2007/StolenLaptops.htm www.edmontonsun.com/News/Edmonton/2007/08/02/4389517.html www.edmontonsun.com/News/Alberta/2007/08/03/4390118-sun.html
Report Credit:
Edmonton Sun News
Response:
From one or more articles cited above:
"the risk of a hacker cracking the passwords is very low, said Capital Health spokesman Steve Buick"
"Leroy Brower with the privacy commissioner’s office said the data in the laptops was not encrypted"
"Buick said Capital Health has a software that locks computer hard drives, which would afford the same level of protection." "All laptops in the region have been installed with this, he added." “A theft like this happening today would produce virtually no sense of any breach.”
From an earlier report from the privacy commissoner's office:
"And if storing information on a laptop is needed, it must be encrypted.
“Password protection alone is not sufficient,”
Commentary:
Although I applaud Capital Health's efforts to secure laptops physically through the use of cable locks, I have some concerns.
My primary concern is Mr. Buick's minimizing responses to this breach. It is absolutely evident that he knows very little about information security and the importance of protecting personally identifiable information. He needs to understand that this data DOES NOT belong to Capital Health, but belongs to the persons whoes data was lost. I am also a bit concerned by how long it took for this breach to be disclosed for which no explanation was provided. The breach occurred on May 8th.
Marjorie Mellor, Information Access and Privacy Coordinator for Capital Health on the other hand issued a very responsible response:
"Even though the possibility of patient data being compromised is very low in this situation, we take the privacy of our patients and clients very seriously. We are implementing additional security measures to further increase the protection of the information that we retain."
It would behoove Capital Health to follow additional best practices in the future to include the privacy commissioner's advice:
- Do not store sensitive information on a laptop unless absolutely necessary.
- Sensitive data at rest must be encrypted
Past Breaches:
None since August 2007
Date Reported:
8/2/07
Organization:
Capital Health (Canada)
Contractor/Consultant:
None
Number Affected:
20,000+
Types of Data:
Name, Canadian health card number, address, reason for hospital admittance.
Breach Description:
Four laptop computers were stolen from staff desks while secured to the desks with cable lock devices in a secure building. The thieves were able to enter the building, dislodge the cable locks and remove the computers during evening hours of May 8th.
Reference URL:
www.capitalhealth.ca/NewsAndEvents/NewsReleases/2007/StolenLaptops.htm www.edmontonsun.com/News/Edmonton/2007/08/02/4389517.html www.edmontonsun.com/News/Alberta/2007/08/03/4390118-sun.html
Report Credit:
Edmonton Sun News
Response:
From one or more articles cited above:
"the risk of a hacker cracking the passwords is very low, said Capital Health spokesman Steve Buick"
"Leroy Brower with the privacy commissioner’s office said the data in the laptops was not encrypted"
"Buick said Capital Health has a software that locks computer hard drives, which would afford the same level of protection." "All laptops in the region have been installed with this, he added." “A theft like this happening today would produce virtually no sense of any breach.”
From an earlier report from the privacy commissoner's office:
"And if storing information on a laptop is needed, it must be encrypted.
“Password protection alone is not sufficient,”
Commentary:
Although I applaud Capital Health's efforts to secure laptops physically through the use of cable locks, I have some concerns.
My primary concern is Mr. Buick's minimizing responses to this breach. It is absolutely evident that he knows very little about information security and the importance of protecting personally identifiable information. He needs to understand that this data DOES NOT belong to Capital Health, but belongs to the persons whoes data was lost. I am also a bit concerned by how long it took for this breach to be disclosed for which no explanation was provided. The breach occurred on May 8th.
Marjorie Mellor, Information Access and Privacy Coordinator for Capital Health on the other hand issued a very responsible response:
"Even though the possibility of patient data being compromised is very low in this situation, we take the privacy of our patients and clients very seriously. We are implementing additional security measures to further increase the protection of the information that we retain."
It would behoove Capital Health to follow additional best practices in the future to include the privacy commissioner's advice:
- Do not store sensitive information on a laptop unless absolutely necessary.
- Sensitive data at rest must be encrypted
Past Breaches:
None since August 2007
Posts Atom 1.0
Comments