Latest news with #privacycommissioner
CTV News
18 hours ago
- CTV News
Lost RCMP memory key with informant details was offered for sale by criminals: report
Privacy Commissioner of Canada Philippe Dufresne waits to appear at the Standing Committee on Access to Information, Privacy and Ethics in Ottawa on Tuesday, Nov. 19, 2024. THE CANADIAN PRESS/ Patrick Doyle OTTAWA — The federal privacy watchdog says the RCMP lost a memory key containing personal information about victims, witnesses and informants, and later learned it was being offered for sale by criminals. A detailed report from the office of privacy commissioner Philippe Dufresne reveals the RCMP told the watchdog about the breach in March 2022, prompting a lengthy investigation. The probe found that the unencrypted USB storage device contained the personal information of 1,741 people, including witnesses, complainants, subjects of interest, informants, police officers and civilian employees. The privacy commissioner says an RCMP detachment learned from a confidential source three weeks after the loss that the data on the device was being offered for sale by members of the criminal community. The privacy watchdog recommended the RCMP adopt strict security measures for the use of USB storage devices, given the sensitive nature of the personal information police handle daily. The commissioner says the Mounties agreed in principle to the recommendations but did not commit to implementing them within a specific timeline. Article by Jim Bronskill.
CTV News
6 days ago
- Business
- CTV News
Committee to discuss NS Power breach that allowed theft of 280,000 customers' data
Peter Gregg, president and CEO of Nova Scotia Power, makes an appearance before the Nova Scotia legislature's law amendments committee, in Halifax, Monday, Oct. 31, 2022. THE CANADIAN PRESS/Keith Doucette HALIFAX — A provincial legislative committee is scheduled to meet today to discuss the recent Nova Scotia Power cybersecurity breach that allowed cyber-thieves access to data from 280,000 customers. The privately owned utility's CEO and other senior staff with Nova Scotia Power were called as witnesses to the standing committee on public accounts, which is set to meet this morning. Company CEO Peter Gregg has previously said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack — which is more than half of their total customers. The breach of the customer records was first reported in late April, and the company later indicated the first breach was detected in mid-March. Gregg said the social insurance numbers of up to 140,000 customers had been collected by the utility, and therefore could have been accessed in the breach. He says Nova Scotia Power gathered these social insurance numbers as a way to authenticate customers' identities in cases where multiple customers have the same name, but social insurance numbers aren't required from its customers and were offered voluntarily. The federal privacy commissioner has launched an investigation into a ransomware attack, with Philippe Dufresne saying in a statement last week he started the probe after receiving complaints about the security breach the utility reported in late April. This report by The Canadian Press was first published June 4, 2025.
Yahoo
6 days ago
- Politics
- Yahoo
Committee to discuss NS Power breach that allowed theft of 280,000 customers' data
HALIFAX — A provincial legislative committee is scheduled to meet today to discuss the recent Nova Scotia Power cybersecurity breach that allowed cyber-thieves access to data from 280,000 customers. The privately owned utility's CEO and other senior staff with Nova Scotia Power were called as witnesses to the standing committee on public accounts, which is set to meet this morning. Company CEO Peter Gregg has previously said the data of about 280,000 Nova Scotia Power customers was breached in a ransomware attack — which is more than half of their total customers. The breach of the customer records was first reported in late April, and the company later indicated the first breach was detected in mid-March. Gregg said the social insurance numbers of up to 140,000 customers had been collected by the utility, and therefore could have been accessed in the breach. He says Nova Scotia Power gathered these social insurance numbers as a way to authenticate customers' identities in cases where multiple customers have the same name, but social insurance numbers aren't required from its customers and were offered voluntarily. The federal privacy commissioner has launched an investigation into a ransomware attack, with Philippe Dufresne saying in a statement last week he started the probe after receiving complaints about the security breach the utility reported in late April. This report by The Canadian Press was first published June 4, 2025. The Canadian Press Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
CBC
13-05-2025
- Health
- CBC
N.W.T.'s medical record system under the microscope after 2 reported cases of snooping
Medical records are among the most sensitive pieces of information that a government agency keeps on citizens. But these records are not impervious to snooping, as evidenced by two distinct cases reported this year by the Northwest Territories Information and Privacy Commissioner. The privacy commissioner issues reports on cases in which an investigation yields evidence of intentional and unauthorized access to private health information, commonly known as "snooping." This year, commissioner Andrew Fox publicly reported two distinct cases of snooping in electronic medical records. They both involved employees of the Northwest Territories Health and Social Services Authority (NTHSSA). Taken together, the cases illustrate vulnerabilities in the NTHSSA's electronic medical record (EMR) system. According to at least one expert, the EMR system doesn't appear to meet the highest ethical standards for patient privacy. An EMR is a digital version of a patient's medical history. It can include things like test results, X-rays and prescriptions. One of the cases published online this year by the privacy commissioner involves an instance in 2021 of an administrative clerk with NTHSSA deliberately opened a person's EMR and relayed some of their private health information to another person. The clerk did this "without consent and without lawful authority," wrote Fox. The clerk admitted to wrongdoing during an NTHSSA investigation, and was fired some months later. Fox called this a "particularly egregious, intentional privacy breach." He said the health authority's response was appropriate, but that the agency should have revoked the employee's EMR access as soon as it confirmed the breach. The health authority uses "role-based access" to the EMR system, meaning an employee's access is limited to what is necessary for their role. Fox noted that on occasions when the clerk was assigned to other roles, the NTHSSA didn't restrict her EMR access in accordance with those roles. 'I felt incredibly violated' The second case published this year involved two NTHSSA employees who, on multiple occasions, snooped in the medical records of a patient who wasn't in their care. The employees were siblings and the patient had previously been in a relationship with one of them. It wasn't until the patient filed a "record of activity" request in July of 2023 — a report on who had looked at her EMR — that she learned of the breach. "I was disgusted. I felt incredibly violated," said Maryse Gravelle, the patient who had her medical records snooped. "Our financial institutions have software in place to identify when there's a fraudulent charge possibly being made on our accounts," she said. "How can a banking institution have those sorts of safeguards in place, but there's no alerts on hospital software, on emergency medical records, to alert when there's a suspicious action in somebody's chart?" In his report, the privacy commissioner said the siblings' jobs granted them "broad access" to the EMR system. Their motivation for opening the patient's records seems to have been "curiosity proceeding from a personal relationship." Fox called the privacy breach a "deliberate and serious breach of trust," and said it caused the patient "significant distress." Both siblings admitted to misconduct, were suspended without pay for 10 days and had their EMR access revoked for at least 18 months. The health authority is required by law to notify a patient about a breach of their medical records "as soon as reasonably possible." In a statement, NTHSSA CEO Kim Riles said the health authority must investigate all reports of privacy breaches, and upon completion of an investigation, notify the affected people. "At times, the investigation process can take a significant amount of time," wrote Riles. She added the NTHSSA is reviewing its practices and "has committed to ensuring the notification occurs as soon as a privacy breach is confirmed, regardless of whether a full investigation has been completed." She said the agency accepted the privacy commissioner's recommendations and continues to improve and update mandatory training. Auditing EMRs 'a real challenge' Livia Kurinska-Hrdlickova is the territory's chief health privacy officer. She said routine audits check for suspicious activity in the EMR system, which if found, is flagged to the health authority. But Fox told CBC that auditing EMRs for instances of unauthorized access is "a real challenge." "If you looked at some random sample of employees looking at health records, there's really nothing that you could infer from the fact that a lab assistant looked at someone's medical record," he said. "You couldn't tell whether that was authorized or not." Neither of the two snooping cases Fox published this year were flagged by a routine audit. Kurinska-Hrdlickova explained that an employee with role-based access to the EMR system has gone through mandatory privacy training, and taken an oath of confidentiality. They need a patient's first and last name, and their date of birth or health-care number, to open their medical record. The system also relies on trust that employees with access will only use the EMR system when it's required for their work on a specific case. "Any system across Canada is not perfect," said Kurinska-Hrdlickova. "You never go to a zero risk, right? Because that's impossible." EMR system not structured 'according to ethics': expert As Fox noted, NTHSSA extended trust to the employees with EMR access, and the employees breached that trust. Eike Kluge, a University of Victoria biomedical ethics professor, said in the case of the siblings, the EMR system shouldn't have allowed them to open Gravelle's record in the first place. "There should be a challenge. Justify who you are and what right you have to access that record," he said. Kluge said the system shouldn't just flag improper access, it should prevent it. If the system isn't blocking improper access, "it's not properly structured," he said. "Certainly not according to ethics." Kurinska-Hrdlickova disagreed with Kluge's assertion and said the territory's EMR system complies with territorial privacy legislation. She also said the territory's EMR system is set to be replaced in the near future, and that the new system will have even stronger privacy protections. There isn't readily available data on the prevalence of medical record snooping in the N.W.T. or in Canada.
