Home » News
Receive News By Email

  • del.icio.us
  • Digg
  • StumbleUpon
  • Reddit
  • Facebook
  • Google
  • RSS Icon
  

Canadian commissioner questions security following laptop theft

June 25, 2009 | Molly Merrill, Associate Editor

ALBERTA, CANADA – Two laptops containing the health information of more than 300,000 people were reported stolen from Alberta Health Services, leading the information and privacy commissioner of the Canadian province to question the organization's level of security.

The laptops were stolen from a research lab at the University of Alberta Hospital earlier this month, according to the Edmonton Journal.

Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases that reportedly were not encrypted.

"This is shocking for me... I don't know what we have to do to drive this message home," said Privacy Commissioner Frank Work. "The standard in Alberta for storing personal or health information on portable devices is encryption. I can't accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can't provide security for personal information?"

"The public should not be concerned," Bill Trafford, chief information officer of the AHS, told the Edmonton Journal. "We believe there's very, very low risk of any information on those devices being made accessible to anybody else."

 Work said although AHS did have layers of protection on the stolen laptops, the final layer was not there, and thus a risk remains – even if it is low.

"A person with motivation and sufficient skills could still access the information," he said. "Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough."

"Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model and an everyday occurrence, like making sure the door is locked before you leave home," he added.

The Office of the Information and Privacy Commissioner has launched an investigation into the stolen laptops.

"We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again," Work said.
 

Related Topics:

Reader Comments (2)Login to Post a Comment

Brandon77 says: It is a very disturbing
February 18, 2010 | 2:00PM GMT

It is a very disturbing situation. It is hard to talk about who is guilty in this situation and who is not. The fact is one and only: The information about 300,000 patients don't have to be kept in one and only laptop... It has to be divided, moreover it has to be encrypted under 100 passwords. Just imagine how could be used those lab test results of 300,000 people... It is really horrible. But I can understand the employees from these health services. They couldn't imagine in their worst dream that it can actually happen. I am wondering if these laptops were found or not. I think I will have to search on google for that information. Anyway thanks for the interesting and disturbing article and I will be waiting for more nice ones from you in the nearest future.

Sincerely,

Brandon Gickson from hp laptop battery website

MikaDCC says: Security Beyond Encryption?
June 25, 2009 | 11:37AM GMT

Yes, everything should be encrypted. That's the first problem. But beyond encryption, I would be interested to know what type of security measures are in place to prevent the theft and loss of equipment holding such sensitive data.

What are the "layers of protection" referred to here? Were they just employee password requirements, or do the laptops have a chip on them to track them if they move about or outside of the building?

If the lab had a tracking system in place -- like a radio frequency solution for asset tracking and / or staff tracking -- this would not have happened. An embedded RFID chip could have monitored the chain of employee contact and/or could have alerted someone when the laptop approached a restricted area (the exit for example).

Canadian hospitals are pretty good about staying on top of new technologies, so it's mind boggling that there was no effective measure in place to prevent this type of sensitive information from being stolen.

If Alberta Health services and/or the University of Alberta Hospital are welcome to contact me if they are interested in seeing case studies of hospital using RFID to protect their assets, staff and patients while lowering operating costs. (We're a vendor-neutral, technology-agnostic party).

For the sake of the patients whose data was stolen, I hope they look into better ways to prevent this from occurring again.

http://www.DynamicRFIDSolutions.com