270 children exposed in Capital Health breach
Technorati Tag: Security Breach
Date Reported:
11/13/07
Organization:
Capital Health
Contractor/Consultant/Branch:
Glenrose Rehabilitation Hospital
Victims:
Child patients
Number Affected:
270
Types of Data:
Canada Personal Health number (PHN), name, date of service, and diagnosis
Breach Description:
A pediatrician working for the Glenrose Rehabilitation Hospital copied confidential patient information onto a flash drive and placed it securely in her purse. The purse was stolen, resulting in the compromise of personal information relating to 270 children.
Reference URL:
CBC News Story
AM Radio 630 News Story
Report Credit:
CBC News
Response:
From the sources cited above:
The doctor at the Glenrose Rehabilitation Hospital had the medical information of 270 children stored on a computer memory stick. She put the tiny device in her purse and locked it in her office drawer, but the purse was stolen on Aug. 16. (2007)
"The records we were concerned with were personal health number, name, date of service at Glenrose and diagnosis," confirmed Steve Buick, spokesman for Capital Health. "Not enough clinical detail, but enough that a parent might naturally be concerned."
[Comfyllama] What is "not enough" and who is gives Capital Health the authority to judge?
"I was shocked. That kind of stuff that should be locked up shouldn't be going into people's purses," said Rick Klein, whose son was treated at the Glenrose hospital about five years ago. "Who knows who has the information now?"
[Comfyllama] As a parent myself, I can empathize with what Mr. Klein must be feeling.
'It is unbelievable that after a number of high-profile incidents in the past, organizations are not getting it.'—Frank Work, Alberta's privacy commissioner
Frank Work, Alberta's privacy commissioner, has warned that computer security breaches are reaching an all-time high. He says password protection just isn't enough, and says that all personal information on laptops should be encrypted.
[Comfyllama] Bullseye. This is reality. Mr. Work knows a thing or two, eh?
Steve Buick says by January, all laptops used by the region should be encrypted, which would make it harder to get at that kind of information. He says there should also be a lot less information ever going on portable computer devices, because of changes Capital Health will make to its central computer file storage area.
Commentary:
Flash drives (or thumb drives) make life very convenient for users, but unfortunately there is a significant cost in terms of information security. All information security programs need to take this risk into account and find creative ways to mitigate such risk. I have seen many organizations completely ban the use of removable media, and I have seen others come up with creative ways to manage the risk. Obviously, file and/or device encryption works well if managed right.
I remember writing about the earlier Capital Health breach in August and was really irked by Steve Buick's comments.
Past Breaches:
August 2007 - Four laptops are stolen from Capital Health, exposing more than 20,000
Date Reported:11/13/07
Organization:
Capital Health
Contractor/Consultant/Branch:
Glenrose Rehabilitation Hospital
Victims:
Child patients
Number Affected:
270
Types of Data:
Canada Personal Health number (PHN), name, date of service, and diagnosis
Breach Description:
A pediatrician working for the Glenrose Rehabilitation Hospital copied confidential patient information onto a flash drive and placed it securely in her purse. The purse was stolen, resulting in the compromise of personal information relating to 270 children.
Reference URL:
CBC News Story
AM Radio 630 News Story
Report Credit:
CBC News
Response:
From the sources cited above:
The doctor at the Glenrose Rehabilitation Hospital had the medical information of 270 children stored on a computer memory stick. She put the tiny device in her purse and locked it in her office drawer, but the purse was stolen on Aug. 16. (2007)
"The records we were concerned with were personal health number, name, date of service at Glenrose and diagnosis," confirmed Steve Buick, spokesman for Capital Health. "Not enough clinical detail, but enough that a parent might naturally be concerned."
[Comfyllama] What is "not enough" and who is gives Capital Health the authority to judge?
"I was shocked. That kind of stuff that should be locked up shouldn't be going into people's purses," said Rick Klein, whose son was treated at the Glenrose hospital about five years ago. "Who knows who has the information now?"
[Comfyllama] As a parent myself, I can empathize with what Mr. Klein must be feeling.
'It is unbelievable that after a number of high-profile incidents in the past, organizations are not getting it.'—Frank Work, Alberta's privacy commissioner
Frank Work, Alberta's privacy commissioner, has warned that computer security breaches are reaching an all-time high. He says password protection just isn't enough, and says that all personal information on laptops should be encrypted.
[Comfyllama] Bullseye. This is reality. Mr. Work knows a thing or two, eh?
Steve Buick says by January, all laptops used by the region should be encrypted, which would make it harder to get at that kind of information. He says there should also be a lot less information ever going on portable computer devices, because of changes Capital Health will make to its central computer file storage area.
Commentary:
Flash drives (or thumb drives) make life very convenient for users, but unfortunately there is a significant cost in terms of information security. All information security programs need to take this risk into account and find creative ways to mitigate such risk. I have seen many organizations completely ban the use of removable media, and I have seen others come up with creative ways to manage the risk. Obviously, file and/or device encryption works well if managed right.
I remember writing about the earlier Capital Health breach in August and was really irked by Steve Buick's comments.
Past Breaches:
August 2007 - Four laptops are stolen from Capital Health, exposing more than 20,000
Posts Atom 1.0
What if it was a disk with patients undergoing drug treatment or something? Computers in health care facilities should be under some strict security policies. Unless proper authorisation, no data should be allowed to be copied off of them
Reply to this