It appears a bit coincidental that I posted this morning that organizations should encrypt data to prevent privacy breaches (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology) and I've just discovered the Calgary Herald is reporting that encrypted mainframe tapes containing health records of "hunreds of thousands" of Albertans have gone missing. I hope this is a "non-incident", but in any event the Information and Privacy Commissioner of Alberta is on the case:
Alberta health records go astray: 'Hundreds of thousands' of files feared breached:
"Confidential health records of 'hundreds of thousands' of Albertans disappeared or were tampered with while in the hands of a courier earlier this month, prompting an investigation by the province's Information and Privacy Commissioner.
Details were scarce, but government sources told the legislature bureau on Tuesday that Privacy Commissioner Frank Work has been called in to investigate after data -- digitized, encrypted, and stored on large reel-to-reel tapes -- went missing or was otherwise tampered with while in transit between two government facilities.
It appears the tapes were backups, mainly for archival purposes. The information is considered confidential and could include medical records, prescriptions and billing history.
Sources would not confirm if the tapes were recovered or the police were investigating.
The sources said Health and Wellness Minister Iris Evans was assured by an expert with IBM Canada that a mainframe computer system and the proper encryption code would be needed to read the data.
Nonetheless, there is some concern that organized criminal gangs could have the ability to crack the code and use the highly private information...."
CBC Calgary - Privacy commissioner looking into missing health info:
"...'There are names, health care and payroll numbers, payroll rates and the family status of the names on it,' Deere said. 'So there's no real personal health information on it, per se.
'But we take any potential breach of privacy quite seriously, and that's what this is, a potential breach. So we've reported it to the privacy commissioner and he's investigating.'
Deere said birth dates weren't part of the information on the tapes...."