According to cbc.com and other media outlets, 650 Canadians have been affected by the theft of an external hard drive that contained medical information. The Mazankowski Alberta Heart Institute announced that the HDD “went missing” from an outpatient lab. Its disappearance is linked, most probably, to a theft that occurred on August 5 of this year. However, the hospital didn’t realize that the external drive was missing until “a few weeks” after the incident.
The data storage device was not protected with encryption nor a password.
Policies Not Followed
Of course, in this day and age, finding out that a hard drive, computer, laptop, or smartphone is not encrypted is… well, it’s not necessarily news, no more so than finding out that people not wearing seatbelts are in a grave condition after a car accident. In other words, it’s less of a scandal and more of a jaded “meh” incidence. (Well, for those who aren’t directly affected by it).
Still, it is disappointing to find out that stuff like this is still happening. It’s not as if the medical establishment didn’t know of their responsibilities where patient data protection is concerned:
“Certain mandatory encryption policies were not followed in this case and that is unacceptable,” Dr. Mark Joffe, vice-president and medical director, Northern Alberta, said in the release.
“The policies were reviewed with staff to prevent any future issues. Security measures and building access for statutory holidays have also been reviewed by AHS Security and new changes will prevent future issues with inappropriate access to the lab.”
As a result, there was a breach of “patient names, gender, dates of birth, physician name and medical record numbers, which are not the same as Alberta personal health care numbers.”
The silver-lining may be in that last bit. It’s because of data breaches like this one that data security professionals insist on not collecting any more data than necessary and using substitute data where possible. The easiest thing for the hospital would have been to use Alberta personal health care numbers as personal identifiers. Instead, they appear to have issued medical record numbers that are used by the hospital alone. Plus, they seem to know exactly what kind of patient data was affected, which is not necessarily the case when it comes to medical data breaches.
Everything else, however, is a disaster. The lack of encryption on the external drive? Not realizing the device was missing after a break-in? Policies, supposedly meant to prevent all of this, not followed?
Unfortunately, it’s an oft-heard story.
Dr. Joffe, the spokesperson quoted above, noted that the information in question would be “difficult… to use on its own.”
A glance at the type of information involved lends credence to this statement. However, as followers of data security issues very well know, it’s rare that breached data stays intact. It is sold, traded, combined, etc. until it is transformed from a semi-worthless digital list of ones and zeroes into information that can be used for less than licit purposes. People engaged in these activities may do some work, like searching up social media pages to further obtain more data on individuals, or looking up names in legal but public records,
Furthermore, criminals have shown to be very imaginative when it comes making a mountain out off a molehill… and succeeding. Six hundred and fifty names may not be much when it comes to “big data,” but it’s 650 chances to attempt a scam. Unlike, say, information listed in a phonebook (it’s assumed that these must still exist somewhere), the stolen list of names has a salient commonality: they’re all tied to the Mazankowski Alberta Heart Institute.
And that tiny piece of information can make all the difference in the world.
Related Articles and Sites: