Tag: Breach

Health-care workers pulled out of Thessalon First Nation following privacy breach

‘It was honestly shocking’: Maamwesying North Shore Community Health Services informed patients that a nurse with the First Nation accessed personal health information without authorization

Maamwesying North Shore Community Health Services pulled all of its health-care workers out of Thessalon First Nation last month following a privacy breach involving unauthorized access to patients’ personal health records. 

A letter from the Indigenous health-care provider was sent to patients who had been impacted by the privacy breach this past March. Although it remains unclear exactly how many people were affected by the breach, sources tell SooToday it’s believed that more than 20 people who received health-care services in Thessalon First Nation had their personal health information compromised when a staff member with the First Nation accessed their files. 

Approximately 113 people live in Thessalon First Nation, according to recent statistics from Crown-Indigenous Relations and Northern Affairs Canada.   

“Please be reassured that there is no indication your personal health information (meaning your diagnoses, test results, clinical notes, address or contact information) was shared with anyone else,” said the letter. “The community staff member has confirmed that no copies were made and that your health record was not altered or removed from the building.” 

The letter also indicated the staff member no longer had access to Maamwesying’s electronic medical record, and that the health-care provider was reviewing its privacy policies, providing mandatory privacy re-training for employees and community partners, and posting privacy information in its waiting room to ensure patients know their privacy rights. 

“In the future, we will continue to focus on ongoing staff and community privacy training as a priority,” said the letter. “We will also continue privacy audits of our electronic medical records system to ensure we are notified of any unusual activity in patient files.” 

Maamwesying did not respond to

Privacy breach ‘absolutely terrifying’ – Winnipeg Free Press

Two Winnipeg residents who were notified a health worker snooped on their medical records — among a string of recent privacy breaches in the province — are demanding the system be made more transparent and accountable.

Daniel Hidalgo and Shontise McFadyen received identical letters from the Winnipeg Regional Health Authority in December, alerting them an employee had inappropriately viewed their personal health records dozens of times.

The pair are colleagues at CommUNITY204, a non-profit organization founded by Hidalgo to serve Winnipeg’s homeless population.

According to the letters, viewed by the Free Press, the privacy breach was identified during a routine audit earlier that month.

“It’s absolutely terrifying because all you can think is there must be some kind of spiteful or malicious intent behind it,” Hidalgo said.

MIKAELA MACKENZIE / FREE PRESS
                                Daniel Hidalgo, whose personal medical information was breached last year, is calling for more transparency in the health-care system.

MIKAELA MACKENZIE / FREE PRESS

Daniel Hidalgo, whose personal medical information was breached last year, is calling for more transparency in the health-care system.

“I immediately responded. I needed to know who this was and if this could be somebody who knows me personally. I wanted to know what they accessed, how long they had access — are there cameras showing them taking photos of these records or were they printed?”

Records provided to Hidalgo by WRHA officials and shared with the Free Press show the woman accused of snooping had allegedly done so 19 times over a period of about nine months.

Hidalgo has met the woman on several occasions through his advocacy work. He believes she may have been working in public health, but does not know why she would look at his personal records.

The health authority refused to confirm the woman’s official job title or whether she is still employed in the region Tuesday.

“The WRHA cannot discuss personal information regarding employees,” a spokesperson said in an email.

Collectively,

Bay Oral security breach exposes protected patient health information

GREEN BAY, Wis. (WBAY) – If you are one of 10,000 clients who received a letter from Bay Oral Surgery and Implant Center this week, listen up. There’s been a privacy incident and your information could be at risk.

In January, Bay Oral discovered an unauthorized person accessed an employee’s email account and viewed client information. In February, the company confirmed the breach and just this week notified clients.

In a Consumer First Alert, we look at why clients are just hearing about this now and what they can do to protect themselves.

We talked to identity theft expert James Lee, who says it’s not unusual for people to hear about a breach several weeks or months after it happened.

In this case, according to Bay Oral, clients’ information was viewed. Lee tells us that if it had been removed or copied, there would be a trail and make it much easier for the company to tell exactly where the risk is. But because it was only available to be viewed, Lee says it likely took longer to figure out what might be at risk.

Here’s what we know about this incident. Investigators found that the unauthorized person installed software, accessed emails, and viewed patient information, including social security numbers and banking information.

While questions remain, Lee says how you protect yourself remains the same no matter what happened.

The goal is to make the information less usable. Change your password, make it unique, and long for accounts. Use multi-factor authentication, and freeze your credit to prevent new credit from being taken out in your name.

Bay Oral declined our interview request on Friday. In a press release, Bay Oral says it has since changed IT companies, added new protections, and is no longer storing protected health information in emails.

N.S. news: Privacy breach at Nova Scotia Health


A former employee at St. Martha’s Regional Hospital, in Antigonish, N.S., inappropriately accessed the personal health information of 2,690 people, according to a news release from Nova Scotia Health.


The health authority says the person responsible has been terminated and it is in the process of sending letters to those who were affected.


“Nova Scotia Health views this as a summary offence under the Personal Health Information Act and the RCMP are currently investigating,” reads the release.


“All those affected will hear directly from Nova Scotia Health and we will be available to discuss the details of these breaches with them.”


When asked what role the employee played at the hospital, Nova Scotia Health would only say it was not “clinical in nature.”


The health authority said suspicious activity was identified in September and the employee was immediately suspended. As the investigation unfolded, the employee was eventually fired in November.


Nova Scotia Health says registration, demographic and clinical information was accessed.


“While we maintain confidence in the ethical practices of employees throughout our organization, we are extremely disappointed that an employee of Nova Scotia Health would engage in activity of this nature,” reads the release.


When asked why it took so long to release this information to the public, Nova Scotia Health’s chief financial officer Derek Spinney said they needed time to figure out the scope of the breach.


“We had enough information initially to understand there was inappropriate activity,” said Spinney.


“We didn’t have a fulsome understanding of the magnitude.”


To that end, Spinney says the health authority used software to cast a net around potential breaches, and then an investigator would look at each individual record to see if there were signs it had been

Nova Scotia Health contacting 2,690 patients after privacy breach

Nova Scotia Health said it will be contacting 2,690 patients after their personal information was “inappropriately accessed” at Saint Martha’s Regional Hospital in Antigonish, N.S.

“We are extremely disappointed that an employee of Nova Scotia Health would engage in activity of this nature. Nova Scotia Health will not tolerate any unauthorized access or snooping,” Derek Spinney, the health authority’s chief financial officer and vice-president of corporate services, told reporters on Friday.

Spinney said an employee connected to the privacy breach was fired. Only one person is believed to be involved with the breach, Spinney said. He wouldn’t say what the person’s role was, but did reveal it was “not clinical in nature.”

The health authority said the suspicious activity was identified in September 2023 and the person was suspended immediately and removed from their role. The person was officially fired in November.

The reason these details are only being made public now is because the health authority said it needed to do a “fulsome investigation” to figure out whose data was compromised and what specific information was accessed.

“That’s why we’re spending a lot of time making sure we know exactly what was touched so that we can contact each of the 2,690 people individually to work through this with them,” Spinney said.

Registration, demographic and clinical info accessed

In a news release, the health authority said registration, demographic, and clinical information was accessed.

Clinical would include things like lab test results, imaging results and notes related to an emergency visit or inpatient stay. 

Demographic information would include names, addresses, emails, phone numbers, health card numbers, emergency contact or next of kin, and the names of primary care providers. It would also include registration information, including the reason a person is at the hospital, their initial health assessment and the

NWT child’s counselling file missing for years in ‘serious breach’

A child’s counselling file has been missing from an NWT health authority office for years after a departing counsellor tried to hand over paper records of their cases.

A report by the NWT’s privacy commissioner outlines a series of searches by staff that somehow kept turning up mislaid files every time, but never the file they were trying to find.

The report reveals sensitive counselling records were being kept in cloth reusable grocery bags – and even in a laptop bag “underneath a pile of personal items.”

The community in question isn’t revealed in the report. The health authority has said staff must now use locked boxes to transport files, rather than grocery bags, and a policy governing how clients’ information is moved is being finalized.

Privacy commissioner Andrew Fox’s report was filed in February this year and published online last week. It deals with a child and youth counselling file that was first declared missing on November 2, 2021.

Advertisement.

Advertisement.

Such files normally contain a person’s name, birth date, counselling session notes and other sensitive information, although Fox said the NWT’s health authority doesn’t know for sure what was in this one. Staff reportedly said the file held more than five years of information and was “noticeably larger than the other files in the set.”

When a counsellor working with the child left their position in July 2021, they brought all their files to the office of the community’s mental health and addictions counsellor in two cloth grocery bags, both placed inside a bigger plastic bag. Later, in October that year once a new child and youth counsellor had started, the mental health and addictions counsellor took the bags to the new employee at the school.

Nobody ever made a list of which people’s files were inside the

Thessalon First Nation responds to privacy breach allegations

Thessalon First Nation’s government has responded to allegations that a community nurse accessed residents’ medical information without their consent, stating these claims “have not been proven.”

This message was posted to TFN’s official Facebook page late Friday afternoon, where officials provided a brief timeline of how they were informed of this alleged incident.

According to this post, representatives from the Maamwesying North Shore Community Health Services contacted TFN officials about this alleged privacy breach on March 14.

Within this piece of correspondence, Maamwesying officials said, according to TFN, that they had filed complaints with Ontario’s Privacy Commissioner and the College of Nurses.

On March 15, TFN officials said they asked Maamwesying to share its investigation report. TFN claims the health agency has not provided any proof of its investigation as of yet.

“A fair and transparent investigation must first take place and its results shared with Thessalon before any action is taken,” TFN’s statement read.

“Thessalon First Nation can only complete its investigation into the allegations against our employee if Maamwesying provided us with their investigation results. Thessalon cannot access Maamwesying’s systems to conduct a file audit. We require both sides of the story.”

The Sault Star attempted to reach out to Maamwesying for comment but did not receive a response by 6 p.m. Friday.

However, The Star did speak with Maamwesying chief privacy officer Michelle Brisbois about this alleged information breach back in late March after receiving several letters from TFN residents.

Within these letters to clients, Brisbois alleges that the community health nurse viewed their medical records even though they “did not have a legitimate reason” to do so, as they were “not providing care” to that specific person at the time.

“Please be reassured that there is no indication your personal health information (meaning your diagnoses, test

More than 1 million Corewell Health patients impacted by security breach

CBS News Detroit Digital Brief for Nov. 30, 2023


CBS News Detroit Digital Brief for Nov. 30, 2023

04:01

(CBS DETROIT) – The health information of about 1 million patients of Corewell Health in Southeast Michigan and about 2,500 Priority Health members were impacted due to a security breach at Welltok, Inc.

Welltok provides patient communication services for Corewell Health in Southeast Michigan a portal for Priority Health, the health system’s health plan, according to Corewell Health

Officials at Welltok said its system and security concerns are resolved and are not aware of any fraud or identity theft after the breach. 

The type of information includes:

  • Priority Health members: Name, address and health insurance identification number
  • Corewell Health patients: Name, date of birth, email address, phone number, diagnosis, health insurance information and Social Security number

“The privacy of our patients, health plan members and team members is a top concern. We recently learned our vendor, Welltok, Inc., was affected by the MOVEit cyberattack that involved more than 2,000 organizations earlier this year. Welltok is communicating directly with the individuals whose data was affected by the attack, and credit monitoring is available to all impacted people,” Corewell Health said in a statement.  

According to Welltok, the impacted individuals were from the following organizations: 

  • Asuris Northwest Health
  • BridgeSpan Health
  • Blue Cross and Blue Shield of Minnesota and Blue Plus
  • Blue Cross and Blue Shield of Alabama
  • Blue Cross and Blue Shield of Kansas
  • Blue Cross and Blue Shield of North Carolina
  • Corewell Health
  • Faith Regional Health Services
  • Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
  • Mass General Brigham Health Plan
  • Priority Health
  • Regence BlueCross BlueShield of Oregon
  • Regence BlueShield
  • Regence BlueCross BlueShield of Utah
  • Regence Blue Shield of Idaho
  • St. Bernards Healthcare
  • Sutter Health
  • Trane Technologies Company LLC and/or

BORN Ontario data breach left health data of millions exposed. What went wrong?

A massive cyberattack that left the health data of mothers, newborn babies and parents seeking fertility treatment exposed, could have been entirely prevented if more protective measures were put in place, according to Canadian security experts.

The Better Outcomes Registry & Network (BORN) on Monday revealed that 3.4 million people — mostly those seeking pregnancy care and newborns who were born in Ontario — had their personal health information compromised in May.

“This is appalling,” said Ann Cavoukian, Ontario’s former information and privacy commissioner. “The personal health information that was copied was collected from a large network of mostly Ontario health-care facilities.

If BORN had de-identified the data by stripping personal details such as names, health care numbers and addresses, it would have provided the “strongest protection” in the event of a data breach, she said.

Story continues below advertisement

“They didn’t say that they de-identified the data and that’s the very least they should have done,” Cavoukian added.

The health-care information that was stolen may have included data such as names, addresses, date of birth, health card number (with no version code), lab results from screening and diagnostic testing, pregnancy risk factors, type of birth and procedures and birth outcomes, BORN said in a statement posted Monday.

As of publication time, there was no searchable database or clear way for the public to definitively find out if their information was compromised.


Click to play video: 'Cyber security experts say ransomware data breach in health care sector is a lesson for everyone'


Cyber security experts say ransomware data breach in health care sector is a lesson for everyone


BORN, an agency funded by the province, is responsible for gathering data related to pregnancies and births within Ontario. On Monday, it said a cybersecurity breach on May 31, 2023, had led to the exposure of data concerning 1.4 million people seeking pregnancy care and 1.9 million infants born

Breach of Ontario pregnancy and newborn care registry touches 3.4 million people

An Ontario government agency that manages data about pregnancy and newborn children in the province says the personal health information of about 3.4 million people was impacted by a data breach.

The Better Outcomes Registry & Network (BORN) said in an update on Monday that the May 31 cybersecurity incident was linked to the global privacy breach of the file transfer system MoveIt – the same software that exposed the personal information of some 100,000 Nova Scotians last spring.

“As a result of the incident, unauthorized parties were able to copy certain files from one of BORN’s servers. Data in the copied files included personal health information collected from primarily Ontario fertility, pregnancy, and child health care providers,” the registry wrote in a news release.

Anyone who gave birth between April 2010 and May 2023 is “likely” affected by the breach, BORN said.

Individuals who received pregnancy care between January 2012 and May 2023 are also likely affected as are those who had in-vitro fertilization (IVF) or egg banking in Ontario between January 2013 and May 2023.

BORN said that it does not collect banking details, social insurance numbers, OHIP version codes or security numbers, or patient emails addresses or passwords. As such, BORN said, those details were not included in the incident.

“At this time, there is no evidence that any of the data copied from BORN’s systems has been misused for any fraudulent purposes. We have engaged experts to monitor the dark web for any activity related to this incident,” according to the agency.

BORN said that it began working with cybersecurity experts “immediately” after it discovered the incident and reported it to the Office of the Information and Privacy Commissioner of Ontario, which it says is currently investigating the breach.

As a result of the breach,

Back To Top