Stolen health computer stored 20,000 names

2007-08-03

RENATO GANDIA

http://www.edmontonsun.com/News/Alberta/2007/08/03/4390118-sun.html



Police and the office of the information and privacy commissioner are investigating a theft of four Capital Health computers - one containing 20,000 patient names, health card numbers, addresses and reason for admittance to hospital.

But the risk of a hacker cracking the passwords is very low, said Capital Health spokesman Steve Buick.

The computers were stolen from a secure desk with a cable lock in a secure downtown building on the evening of May 8.

Capital Health waited nearly three months before announcing the crime because it took that long for the addresses of the 20,000 patients to be confirmed, Buick said, adding letters to the affected patients were mailed out yesterday.

The laptops had two levels of password protection, so the risk of anyone accessing the patient data is virtually nil, Buick reiterated.

But Leroy Brower with the privacy commissioner's office said the data in the laptops was not encrypted, which simply means it wasn't passworded. Encryption is a higher level of protection.

However, Buick said Capital Health has a software that locks computer hard drives, which would afford the same level of protection.

All laptops in the region have been installed with this, he added.

"A theft like this happening today would produce virtually no sense of any breach."

The privacy commissioner investigated a similar case in the Calgary Health Region in 2006.

As a result of that, the commissioner recommended against storing personal or health information on laptops unless necessary.

"Consider technologies that allow secure, remote access to your network and data instead," the report said.

And if storing information on a laptop is needed, it must be encrypted.

"Password protection alone is not sufficient," the report said further.

Buick said police believe that the person who stole the computers would likely be interested in the computer itself and not on any information contained in the laptops.

"If they do hack through the passwords and get the information, they will find names, personal health care numbers and the reasons they were admitted here," said Buick.

"They will not find test results, diagnoses, physician notes on a medical chart."

Buick said the health region will do its best to reach all of the 20,000 patients.

Capital Health is now reviewing its security measures and will increase protection of the information in its possession.

For more information, call (780) 735-0005 or e-mail privacy@capitalhealth.ca


main page ATTRITION feedback