Earlier this week comes news of another privacy breach. It appears that the British Columbia Health Ministry has suffered a privacy breach involving their PhamaNet system. After what appeared to be some suspicious activity the ministry conducted a forensic examination and discovered that an unknown party had accessed the system from March 9 until June 19, 2014 when the access was discovered and terminated
Medical histories of 34 people were also accessed in the breach, which took place between March 9 and June 19, but no fraudulent prescriptions were obtained. No banking information was taken, but the government warned the perpetrator did access enough personal details to make identity theft a concern.
Affected patients are being contacted by letter starting Friday, and the ministry is urging them to keep a close eye on their bank accounts, credit cards and online services.
In all, 1,600 patients were affected by the breach.
So, what controls were in place?
From the PharmaNet site:
PharmaNet complies with the B.C. Freedom of Information and Protection of Privacy Act. It is subject to strict privacy and security measures designed to prevent unauthorized access and protect the information in its databases. For instance, PharmaNet operates behind a "firewall." All users must sign a confidentiality agreement before being granted access and must provide a unique identification code when logging on to PharmaNet. Furthermore, PharmaNet consists of separate components—each component is accessible only to the specific users who require access for their work.
Hmm, the fact that the word "firewall" is in quotations gives me pause. What other controls were in place? I would hazard that based on this access that the data in question had no encryption involved.
In a press release the Ministry had this to say, “The privacy breach involved the names, dates of birth, addresses, telephone numbers, and personal health numbers (BC Services Card or Care Card numbers) of all the affected people. For 34 people, the unauthorized access also involved looking at medication histories.” So, how did this person access the system exactly? Was an administrative password guessed or compromised? Was there a network breach? This is decidedly lacking some salient details.