The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, March 30, 2005

Incident: Encrypted tapes containing health information on hundreds of thousands of Albertans missing or tampered with 

It appears a bit coincidental that I posted this morning that organizations should encrypt data to prevent privacy breaches (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology) and I've just discovered the Calgary Herald is reporting that encrypted mainframe tapes containing health records of "hunreds of thousands" of Albertans have gone missing. I hope this is a "non-incident", but in any event the Information and Privacy Commissioner of Alberta is on the case:

Alberta health records go astray: 'Hundreds of thousands' of files feared breached:

"Confidential health records of 'hundreds of thousands' of Albertans disappeared or were tampered with while in the hands of a courier earlier this month, prompting an investigation by the province's Information and Privacy Commissioner.

Details were scarce, but government sources told the legislature bureau on Tuesday that Privacy Commissioner Frank Work has been called in to investigate after data -- digitized, encrypted, and stored on large reel-to-reel tapes -- went missing or was otherwise tampered with while in transit between two government facilities.

It appears the tapes were backups, mainly for archival purposes. The information is considered confidential and could include medical records, prescriptions and billing history.

Sources would not confirm if the tapes were recovered or the police were investigating.

The sources said Health and Wellness Minister Iris Evans was assured by an expert with IBM Canada that a mainframe computer system and the proper encryption code would be needed to read the data.

Nonetheless, there is some concern that organized criminal gangs could have the ability to crack the code and use the highly private information...."

Update:

CBC Calgary - Privacy commissioner looking into missing health info:

"...'There are names, health care and payroll numbers, payroll rates and the family status of the names on it,' Deere said. 'So there's no real personal health information on it, per se.

'But we take any potential breach of privacy quite seriously, and that's what this is, a potential breach. So we've reported it to the privacy commissioner and he's investigating.'

Deere said birth dates weren't part of the information on the tapes...."

Labels: , , ,

3/30/2005 09:17:00 AM  :: (1 comments)  ::  Backlinks
Comments:
I totally love your web site! It's interesting and heart-warming to see that somebody realizes that the protection of privacy is so important that if we don't defend it we will lose it entirely. I noticed you didn't put a date on your update though.

This issue is one of the most important to Albertans ever, yet news reporters, opposition parties, etc. are not much interested in it.

Why is this coverup so very important the officials who breach your security?

It appears to me (after I phoned many sources) that there are no Alberta or Canadian laws that state that if a person's privacy is breached the company or government at fault is required to notify individuals within a SPECIFIED TIME PERIOD. Neither privacy commissioners, opposition parties, nor news reporters have been able to tell me they are aware of such laws.

When this health computerization first started, I asked the health people how secure it would be and they assured me it would be very secure (always a joke of course).
They stated that if anyone's records were breached, they would be advised immediately.

Well it's been several months now, and no doubt investigations will take another five or ten years. No doubt they fear a lawsuit. Likely they will investigate such breaches for very long periods, hoping people will simply forget about them.

The reason people must NOT forget is that if Alberta eventually goes to private health care, and indeed more and more procedures do require it, every second Albertan who has had his security breached in this case, may suddenly discover that he CANNOT get private health care and he won't be told why. There is no law stating that people must be told why either.

In the case of one of your other articles where many civil servants had their data stolen, that could affect Albertans too. These people may find out that they may never get a city or government jobs in the future, and won't be told why in that case either.

Albertans really need to wake up quickly. They are fools if they believe that since only tiny bits and pieces of information about them are stolen from 20 or 30 sources, no one will be able to compile that. This type of information is worth billions of dollars to security agencies who sell private information about you over the internet.

Albertans are also fools if they believe the stories from the health department that no one will be able to encrypt certain codes. Anyone can encrypt anything if they have a few dollars to pay someone. There will be always be a willing person who will supply such information for money.

Canadians, and Albertans in particular, need laws to protect ourselves and we won't get them unless we realize the extreme dangers.

I wish we had good news reporters in Calgary. What Canada so much needs right now are investigative news reporters versus the the lazy ones who park their butts at computer desks and compile info from the internet.

Just as lack of government concern can destroy the freedom of a country, so can lack "news reporter" comment. News reporters who "CARE" are very important to the country.
 
Post a Comment

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs