Incident: Sick Kids physician loses portable hard-drive with unencrypted personal health information

A physician from Sick Kids hospital who decided to travel with a portable hard-drive containing unencrypted health information on 3,300 patients lost the drive in Canada's busiest airport. This happened six weeks after the Information and Privacy Commissioner ordered that the hospital not allow electronic health information to leave the hospital unless it was encrypted. See: TheStar.com - living - Sick Kids doctor loses data on 3,300 patients.

Incident: Security breach hits TradeFreedom

Canadian brokerage TradeFreedom has been hit with a security breach and is notifying some of its customers that their information may have been compromised:

reportonbusiness.com: Security breach hits online brokerage

Online broker TradeFreedom Securities Inc. has quietly notified an unidentified number of its customers that a computer security breach has compromised some of their personal information, potentially exposing them to fraud.

In what it described as a follow-up to an Aug. 17 notice to clients, it said in a Friday e-mail that it had finished its investigation into the "recent unauthorized intrusion" of one of its computer systems.

"We have subsequently determined that, despite our security systems in place at the time, this unauthorized intrusion has also resulted in the compromise of some of your personal information," TradeFreedom said. "This information is your name, social insurance number, city, province and postal code."

Citing a continuing police investigation by the Sûreté du Québec, TradeFreedom president Bruce Seago said he could not release any details about the nature or timing of the computer security breach....

Incident: Monster.com criticized for waiting five days to report data breach

Reuters is reporting that databases of Monster.com were broken into and the personal information of 1.3 Million users was compromised. Much of the focus is on a five day "delay" in making the matter public, though I think five days really isn't a long time to invetigate and figure out what to report. See: Monster.com Delayed Disclosure of Data Theft - New York Times.

Incident: Patient information cards sold at auction in Saskatchewan

Another case of personal information being sold at auction, this time in hardcopy form:

Patient information cards sold at auction

REGINA -- The Saskatoon Health Region apologized Tuesday after more than 2,000 patient information cards that were supposed to be treated as "very confidential" were accidentally sold at an auction of health region surplus material rather than shredded.

The plastic cards are used to make imprints on documents for patient records. The cards contain names, dates of birth, addresses, religious affiliations, health card numbers and the names of the patient's doctor.

They were used between January and May of this year for day surgery patients and outpatients at City Hospital.....

Incident: Private medical records of Colorado residents exposed on Internet

From Minnesota public radio:

MPR: wavLength: Private medical records of Colorado residents exposed on Internet

Private medical records of Colorado residents exposed on Internet

Posted at 10:03 PM on May 22, 2007 by Jon Gordon

On Friday's Future Tense, you'll hear this story:

As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.

Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It's unclear how many people may have seen the records.

Experts say the case likely runs afoul of federal health information privacy laws, even though there is no evidence that the records were misused.

The unsecured computer, which was accessible through a Web browser, was operated by Beacon Medical Services of Aurora, Colorado, which provides billing, coding and other services to emergency physicians at 17 facilities.

Beacon CEO Dennis Beck says he was shocked to learn about the breach and that the company took immediate steps to correct it.

"We've implemented a culture of compliance and data security and it just did not seem consistent with our culture, our practice and our experience," he said.

The medical records resided on an FTP server. FTP stands for File Transfer Protocol. It's a means by which users send and receive computer files over the Internet or private networks. In Beacon's case - and this is typical of the industry - health care providers sent encrypted data to the server for Beacon to access so it could bill patients and insurance companies. The data was unencrypted on Beacon's end, and the FTP server was not supposed to be accessible to the public. But in this case it was. No username or password was required to view the records.

The data included details of patients' visits to emergency rooms -- what ailments they complained of, diagnoses and treatments, and medical histories, along with the patients' names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. Some of the records detailed sensitive cases, from sexually transmitted diseases to severe depression. The site also contained financial information, such as a list of low-income patients who received state aid to help pay their medical bills.

Beacon has employed two firms to help investigate what led to the security hole.

"It appears to us now at this point as if there was some back door that was opened to this server," said Beck. "We don't know when, but we believe it may have been done when a consultant did some work for us several years ago."

The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000.

Future Tense discovered the Beacon site after a tip from a source who stumbled upon it. We followed up on the tip, staying just long enough to confirm the existence of the records and get an idea what kind of data they contained. We notified several health care providers whose patient data was exposed. Those providers informed Beacon, which promptly shut the server down when it learned of the problem.

Bill Byron is spokesman for Banner Health Corporation, the parent company of McKee Medical Center of Loveland, Colorado, one of the providers whose data was included on the FTP site. Byron said McKee physicians won't transmit any more records to Beacon
until they're satisfied the security problem is fixed.

"We're trying to understand what our obligations are going to be, in terms of disclosing to patients that this has occurred, so that's still in process, to determine what we have to do," he said.

The Colorado medical records incident appears to be a serious violation of federal law governing medical record privacy, according to Janlori Goldman, director of the Health Privacy Project at Georgetown University.

"Large-scale breaches like this are not uncommon," she said. "They may not happen every day but they happen enough that you have to wonder, why aren't people taking greater care with this information?"

About a year ago, for example, a data security breach exposed medical information and Social Security numbers of some 26 million veterans after data was stolen from the home of an employee of the Department of Veterans Affairs.

Tomorrow on Future Tense, we'll explore the potential harm of compromised medical records, and at the federal law designed to protect patients. One critic of current law says patients have very little recourse when their most sensitive medical records become public.

Here is a list of physician groups, clinics and hospitals which had data of various kinds on the exposed site:

-McKee Medical Center of of Loveland, CO
-Big Thompson Emergency Physicians of Longmont, CO
-Presbyterian St. Luke's Hospital of Denver
-North Suburban Medical Center of Thornton, CO
-Carepoint Emergency Physicians of the greater Denver area
-Long's Peak Emergency Physicians
-Longmont United Hospital
-Boulder Community Hospital
-Emergency Medical Specialists PLC
-Memorial Hospital of Colorado Springs
-Proctor Hospital of Peoria, IL

Incident: Alcatel-Lucent Trying to Find Lost Disk

A courier has apparently lost a disk containing personal information on up to 200,000 employees, including dates of birth and social security numbers. In the meantime, the company will not be using couriers to transport employee information. See: Alcatel-Lucent Trying to Find Lost Disk.

Security breach affects hundreds of thousands of porn consumers

Personal information on hundreds of thousands of users of adult websites may have been compromised in a breach that is said to have the potential to undermine the confidence that most consumers have in porn websites. Hmm.

See: Porn Industry Frets Over Security Breach Internet: Customers' Personal Data Accessed. - Technology - RedOrbit.

Incident: A very personal data breach

According to BoingBoing, personal lubricant maker Astroglide has gotten itself into a slippery situation by allowing information on thousands of its customers to be accessible on the web. Information included names, addresses and lubricant purchases. Some of the information is still available through Google cache pages, showing how sticky the web can be. See: Boing Boing: Sex lube co's data breach exposes 250K+ personal records.

Incident: Ontario patient files found in dumpster

The Ontario Information and Privacy Commissioner is investigating after old medical records were found in a dumpster behind a coffee shop by a retiree. The affected patients will have to be notified as the information is subject to PHIPA, which contains Canada's only mandatory breach notification. See: TheSpec.com - Local - St. Joe's patient files found in dumpster.

Incident: Disk with data on 2.9M Georgians lost

The beat goes on ...

Disk with data on 2.9M Georgians lost - Yahoo! News

Tue Apr 10, 12:15 PM ET

ATLANTA - A computer disk containing the names, birth dates and Social Security numbers of 2.9 million Medicaid and children's health care recipients is missing, Georgia health officials said Tuesday.

The state said the security breach was reported by Affiliated Computer Services, a private vendor with a contract to handle health care claims for the state.

The CD was lost while it was being shipped from Georgia to Maryland, ACS spokesman David Shapiro said. The company has been working with the carrier, which Shapiro would not identify, for several days to find the package, he said.

Shapiro said there was no indication anyone had tried to access any of the personal data.

"We are treating this as a missing package," he said.

Officials said the information, including addresses, covered the four-year period up to June 2006 and included some people who are no longer on the rolls.

The Georgia Department of Community Health said it was requiring the Dallas-based company to notify everyone affected and to offer free credit reports. The children's health care program involved in the data loss is called PeachCare.

PeachCare is the state's health insurance program for low-income children. Medicaid is a health insurance program for the poorest residents. Both programs are funded with a combination of state and federal dollars.

State officials notified the Centers for Medicare and Medicaid Services, the U.S. Department of Health and Human Services, the Governor's Office of Consumer Affairs and the state attorney general.

Incident: Tax files, private info turn up in Vancouver dumpster

In case you needed further proof that you must shred all personal information that you're disposing. Loads of personal tax information has surfaced after a high-profile accountant in Vancouver chucked it into a locked dumpster outside his offices:

CTV British Columbia- Tax files, private info turn up in dumpster - CTV News, Shows and Sports -- Canadian Television

... Many of the documents -- marked with phrases such as "personal and confidential" -- come from the office of Peter Roberts, a well-known accountant.

"Oh my gosh," said one of Roberts' clients, David Weinberg, whose name was on several files.

"I'll have him either return this to me or assure me that he will be changing his privacy practices going forward to assure that not just this but all of his clients' documents are properly shredded."

When reached by phone, Roberts said that he put a bag full of the documents in the dumpster on Saturday.

He said he doesn't own a shredder and believed the documents would be safe because the dumpster is secured by a padlock.

But to Vancouver's large and innovative homeless population, a lock isn't much of a safeguard....

Thanks to a regular reader from the west coast for pointing me to this incident.

Incident: Passport applicant finds massive privacy breach

This is interesting:

globeandmail.com: Passport applicant finds massive privacy breach

A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports....

Thanks to Michael Geist for the link.

Info on participants in kids' summer program found in open trash in Toronto

The Toronto Sun is reporting that information about children who participated in a city-funded summer program was found in an open trash bin in a Toronto apartment building. The Sun also notes that a resident of the building was recently charged for child pornography offenses, but the two do not appear to be related.

TorontoSun.com - Toronto And GTA- Kids' data exposed

Documents containing detailed information on children who participated in a city-funded summer program were carelessly left out in the open at a public housing apartment building where a man was recently charged with possession of child pornography.

George Pappas, director of the Glamorgan Resident's Association, was running one of his weekly social events for the residents when he and another member of his group found approximately 200 pages near the top of a garbage can in the rec room.

The papers contained the birth dates, health card numbers, contact details and other personal information on children from 6 and 7 Glamorgan Ave. and other nearby Toronto Community Housing buildings who participated in the summer program. ...

More disks missing from HM Revenue and Customs

It's interesting what comes out when people start asking more questions: BBC NEWS Politics Six more data discs 'are missing'.

Illustration of ten largest data breaches since 2000

Flowing Data, which "explores how statisticians, designers, computer scientists, and others are using data to understand more about ourselves and our surroundings", has an illustration of the ten largest recent data breaches. See: 10 Largest Data Breaches Since 2000 - Millions Affected FlowingData. Via Boing Boing.

Incident: Veterans Affairs hard drive with personal data missing

The Associated Press is reporting that the US Department of Veterans Affairs has lost a portable hard-drive that contained unencrypted records of thousands of veterans. See: AP Wire | 02/03/2007 | VA hard drive with personal data missing.

Incident: Club Monaco associated with privacy breach

Fashion retailer Club Monaco is now associated with a third information breach, though the details are very sketchy. From the Globe & Mail:

globeandmail.com : globeinvestor.com : Clothing chain tipped to security breach:

Fashion retailer Club Monaco has called in the RCMP to investigate a possible privacy breach involving customers' credit card numbers -- the third time in the past week that a major Canadian company has been plagued by security issues.

Club Monaco confirmed it was alerted to the problem by a credit card processor late last year and said it immediately hired a forensic firm to help the Mounties with their probe. Banks and other card issuers were also notified of the problem, and have been combing client records for any signs of fraud, according to sources in the financial community.

Investigators have found no evidence to suggest a breach occurred, a spokeswoman for the clothing chain said yesterday, adding that the data under investigation do not include names, addresses or phone numbers. She said the company has not determined how many customers might be affected.

'We've been told through the report thus far that our systems are very secure,' Wendy Smith said. 'It's an active investigation.'...

Winners security breach hits home

The Globe & Mail is reporting that significant fraud has been linked to the Winners information breach:

globeandmail.com: Winners security breach hits home

Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community.

They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.

“We have seen fraud on some of those accounts that we can directly link back to [the breach],” said an official with one card issuer, who cautioned his company is still determining how many of its clients could be left vulnerable by the hacking incident. He added that issuers are directly contacting any customers whose cards appear to have been used fraudulently.

Litany of small scale privacy breaches

Last week, Global Television's main news program has aired a number of reports relating to privacy breaches at Canada Revenue Agency. This has led to a number of viewers contacting the TV network to report their own versions, involving Revenue Canada and others.

The Global Maritimes ran a report on Thursday about a woman in Nova Scotia who was repeatedly sent the credit card information, including the "secret code" for a cardholder in Ontario. When she informed them of the screw-up, they told her she was wrong and kept resending the info to her. When contacted by Global's reporter, the Ontario cardholder was furious that he had no idea that a woman in Bridgewater, Nova Scotia, could have gone to town on his Visa account and the company apparently never did anything to protect his account.

There are also a number of small scale breaches recounted as comments to the CRA breach story on the Global TV website:

Taxman moves to protect privacy

• in 1988 while living in Woodstock ON, I received an other pe... Wanda
  
• It happened to me last month. I received information that be... vivian
  
• Revenue Canada provides the Quebec Govt with income informat... Yves
  
• I thought maybe I should share my incident although I had ... Sherri
  
• This is not quite the same but equally disturbing. My husba... Margaret
  
• Last year I went to the post office to pick up my passport a... Elaine
  
• How about receiving mail from the government addressed Maureen
  
• Summer, 2005 I requested a Revenue Canada summary and receiv... Frank
  
• My dad's Disability Tax credit approval notice was enclosed ... Marnie
  

Winners class action

This didn't take long: WINNERS STORES NATIONAL CLASS ACTION.