Sensitive Canadian health information leak
Technorati Tag: Security Breach
Date Reported:
11/23/07
Organization:
Government of Newfoundland and Labrador - Canada
Contractor/Consultant/Branch:
Provincial Public Health Laboratory (PHL)*
*The PHL acts as the provincial laboratory centre for infectious disease surveillance and control. It provides routine, specialized and reference laboratory services in clinical and public health microbiology to all hospitals, clinics and other health-related agencies in the province.
Victims:
PHL Patients
Number Affected:
Unknown
Types of Data:
Names, Medical Care Plan (MCP) numbers, age, sex, physician, and test results for infectious diseases, including HIV and hepatitis.
Breach Description:
An "open internet connection" is being blamed for a breach of PHL patient data. A person claiming to be a representative of a "computer security company" informed a consultant of the PHL that he was in possession of some patient information presumably obtained through the vulnerable internet connection. The consultant was using a PHL desktop computer in a home office at the time.
Reference URL:
Government of Newfoundland and Labrador Press Release
CBC News Coverage
Information Week Coverage
Report Credit:
Government of Newfoundland and Labrador - Canada
Response:
From the official government news release and sources cited above:
"On Tuesday evening of this week, there was a security breach that exposed the confidential information of some patients whose test results are held by our Provincial Public Health Laboratory," said Minister Kennedy. "This is a very serious matter that required immediate action."
[Comfyllama] Tuesday being 11/20/07.
The security breach involved the exposure of files containing patient information through an open Internet connection.
The files were stored on a desktop computer normally housed within the PHL but was being used externally in the home office of a consultant on contract with the laboratory.
The consultant became aware of the potential breach when called by an individual identifying himself as a representative of a computer security company who claimed he was in possession of some of the patient information stored on the consultant’s computer.
[Comfyllama] I am very curious as to how this representative of a computer security company came into the possession of this information. I certainly hope that he did not access this PHL computer without authorization because doing so is against the law. This is a dilemma. "Bad guys" (or black hats) don't care about the law, but us "good guys" (or white hats) do. Bad guys can break into systems without authorization to find holes, good guys cannot. Good guys break into systems only when given authorization to do so, preferably in writing. Then there are the guys somewhere in the middle (grey hats). See?
"Upon learning of this situation, our government instigated an immediate process to determine what the scope of the breach might be," said Minister Kennedy. "We engaged the Office of the Chief Information Officer (OCIO) for its expertise and advice in this matter, we contacted the Royal Newfoundland Constabulary and we secured the services of a Canadian technology company specializing in information and infrastructure security.
[Comfyllama] Outside resources should be welcomed.
Until the forensic investigation is complete, the number of patients whose information may have been exposed cannot be determined. Patient information held by PHL includes names, MCP numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.
"This appears to be an isolated situation," said Minister Kennedy. "The information garnered from our investigation thus far supports this. Because the external computer was not part of the systems and networks of either the laboratory or Eastern Health, which provides IT support to PHL, this breach in no way reflects on the integrity of these systems. We can say unequivocally that all other patient information stored by our government and the regional health authorities was in no way jeopardized by this one situation with one computer external to our networks."
[Comfyllama] This breach may not reflect on the integrity of the systems, but it does reflect poorly on information security policy and practice. Confidential data requires the same amount of protection no matter where it resides. No data should leave on a computer unless the same (or better) protections are in place at the destination.
Commentary:
Two things really bug me about this breach.
One is the incident itself, meaning the mystery computer security company representative. Who is this and how did he get the information? Good information security professionals are held to a higher standard. There is a police investigation underway.
Secondly, there is no mention as to whether or not bringing confidential data on a PHL computer to a home office that lacks adequate protection goes against any PHL policies. If this doesn't go against policy, then there definitely needs to be a revision. This data is too sensitive.
Past Breaches:
Unknown
Date Reported:11/23/07
Organization:
Government of Newfoundland and Labrador - Canada
Contractor/Consultant/Branch:
Provincial Public Health Laboratory (PHL)*
*The PHL acts as the provincial laboratory centre for infectious disease surveillance and control. It provides routine, specialized and reference laboratory services in clinical and public health microbiology to all hospitals, clinics and other health-related agencies in the province.
Victims:
PHL Patients
Number Affected:
Unknown
Types of Data:
Names, Medical Care Plan (MCP) numbers, age, sex, physician, and test results for infectious diseases, including HIV and hepatitis.
Breach Description:
An "open internet connection" is being blamed for a breach of PHL patient data. A person claiming to be a representative of a "computer security company" informed a consultant of the PHL that he was in possession of some patient information presumably obtained through the vulnerable internet connection. The consultant was using a PHL desktop computer in a home office at the time.
Reference URL:
Government of Newfoundland and Labrador Press Release
CBC News Coverage
Information Week Coverage
Report Credit:
Government of Newfoundland and Labrador - Canada
Response:
From the official government news release and sources cited above:
"On Tuesday evening of this week, there was a security breach that exposed the confidential information of some patients whose test results are held by our Provincial Public Health Laboratory," said Minister Kennedy. "This is a very serious matter that required immediate action."
[Comfyllama] Tuesday being 11/20/07.
The security breach involved the exposure of files containing patient information through an open Internet connection.
The files were stored on a desktop computer normally housed within the PHL but was being used externally in the home office of a consultant on contract with the laboratory.
The consultant became aware of the potential breach when called by an individual identifying himself as a representative of a computer security company who claimed he was in possession of some of the patient information stored on the consultant’s computer.
[Comfyllama] I am very curious as to how this representative of a computer security company came into the possession of this information. I certainly hope that he did not access this PHL computer without authorization because doing so is against the law. This is a dilemma. "Bad guys" (or black hats) don't care about the law, but us "good guys" (or white hats) do. Bad guys can break into systems without authorization to find holes, good guys cannot. Good guys break into systems only when given authorization to do so, preferably in writing. Then there are the guys somewhere in the middle (grey hats). See?
"Upon learning of this situation, our government instigated an immediate process to determine what the scope of the breach might be," said Minister Kennedy. "We engaged the Office of the Chief Information Officer (OCIO) for its expertise and advice in this matter, we contacted the Royal Newfoundland Constabulary and we secured the services of a Canadian technology company specializing in information and infrastructure security.
[Comfyllama] Outside resources should be welcomed.
Until the forensic investigation is complete, the number of patients whose information may have been exposed cannot be determined. Patient information held by PHL includes names, MCP numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.
"This appears to be an isolated situation," said Minister Kennedy. "The information garnered from our investigation thus far supports this. Because the external computer was not part of the systems and networks of either the laboratory or Eastern Health, which provides IT support to PHL, this breach in no way reflects on the integrity of these systems. We can say unequivocally that all other patient information stored by our government and the regional health authorities was in no way jeopardized by this one situation with one computer external to our networks."
[Comfyllama] This breach may not reflect on the integrity of the systems, but it does reflect poorly on information security policy and practice. Confidential data requires the same amount of protection no matter where it resides. No data should leave on a computer unless the same (or better) protections are in place at the destination.
Commentary:
Two things really bug me about this breach.
One is the incident itself, meaning the mystery computer security company representative. Who is this and how did he get the information? Good information security professionals are held to a higher standard. There is a police investigation underway.
Secondly, there is no mention as to whether or not bringing confidential data on a PHL computer to a home office that lacks adequate protection goes against any PHL policies. If this doesn't go against policy, then there definitely needs to be a revision. This data is too sensitive.
Past Breaches:
Unknown
Posted by Evan Francen at 11/26/2007 11:12 AM 
Categories: Government of Newfoundland and Labrador, Hack
Categories: Government of Newfoundland and Labrador, Hack
Posts Atom 1.0
Privacy Commissioner released order regarding this breach.... NEWFOUNDLAND AND LABRADOR OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER REPORT P-2008-001 Department of Health and Community Services
Reply to this