Wednesday, March 30, 2005

Incident: Encrypted tapes containing health information on hundreds of thousands of Albertans missing or tampered with

It appears a bit coincidental that I posted this morning that organizations should encrypt data to prevent privacy breaches (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology) and I've just discovered the Calgary Herald is reporting that encrypted mainframe tapes containing health records of "hunreds of thousands" of Albertans have gone missing. I hope this is a "non-incident", but in any event the Information and Privacy Commissioner of Alberta is on the case:

Alberta health records go astray: 'Hundreds of thousands' of files feared breached:

"Confidential health records of 'hundreds of thousands' of Albertans disappeared or were tampered with while in the hands of a courier earlier this month, prompting an investigation by the province's Information and Privacy Commissioner.

Details were scarce, but government sources told the legislature bureau on Tuesday that Privacy Commissioner Frank Work has been called in to investigate after data -- digitized, encrypted, and stored on large reel-to-reel tapes -- went missing or was otherwise tampered with while in transit between two government facilities.

It appears the tapes were backups, mainly for archival purposes. The information is considered confidential and could include medical records, prescriptions and billing history.

Sources would not confirm if the tapes were recovered or the police were investigating.

The sources said Health and Wellness Minister Iris Evans was assured by an expert with IBM Canada that a mainframe computer system and the proper encryption code would be needed to read the data.

Nonetheless, there is some concern that organized criminal gangs could have the ability to crack the code and use the highly private information...."

Update:

CBC Calgary - Privacy commissioner looking into missing health info:

"...'There are names, health care and payroll numbers, payroll rates and the family status of the names on it,' Deere said. 'So there's no real personal health information on it, per se.

'But we take any potential breach of privacy quite seriously, and that's what this is, a potential breach. So we've reported it to the privacy commissioner and he's investigating.'

Deere said birth dates weren't part of the information on the tapes...."

1 comment:

Anonymous said...

I totally love your web site! It's interesting and heart-warming to see that somebody realizes that the protection of privacy is so important that if we don't defend it we will lose it entirely. I noticed you didn't put a date on your update though.

This issue is one of the most important to Albertans ever, yet news reporters, opposition parties, etc. are not much interested in it.

Why is this coverup so very important the officials who breach your security?

It appears to me (after I phoned many sources) that there are no Alberta or Canadian laws that state that if a person's privacy is breached the company or government at fault is required to notify individuals within a SPECIFIED TIME PERIOD. Neither privacy commissioners, opposition parties, nor news reporters have been able to tell me they are aware of such laws.

When this health computerization first started, I asked the health people how secure it would be and they assured me it would be very secure (always a joke of course).
They stated that if anyone's records were breached, they would be advised immediately.

Well it's been several months now, and no doubt investigations will take another five or ten years. No doubt they fear a lawsuit. Likely they will investigate such breaches for very long periods, hoping people will simply forget about them.

The reason people must NOT forget is that if Alberta eventually goes to private health care, and indeed more and more procedures do require it, every second Albertan who has had his security breached in this case, may suddenly discover that he CANNOT get private health care and he won't be told why. There is no law stating that people must be told why either.

In the case of one of your other articles where many civil servants had their data stolen, that could affect Albertans too. These people may find out that they may never get a city or government jobs in the future, and won't be told why in that case either.

Albertans really need to wake up quickly. They are fools if they believe that since only tiny bits and pieces of information about them are stolen from 20 or 30 sources, no one will be able to compile that. This type of information is worth billions of dollars to security agencies who sell private information about you over the internet.

Albertans are also fools if they believe the stories from the health department that no one will be able to encrypt certain codes. Anyone can encrypt anything if they have a few dollars to pay someone. There will be always be a willing person who will supply such information for money.

Canadians, and Albertans in particular, need laws to protect ourselves and we won't get them unless we realize the extreme dangers.

I wish we had good news reporters in Calgary. What Canada so much needs right now are investigative news reporters versus the the lazy ones who park their butts at computer desks and compile info from the internet.

Just as lack of government concern can destroy the freedom of a country, so can lack "news reporter" comment. News reporters who "CARE" are very important to the country.