Information Security

Canadian Businesses Advised to Be More Vigilant About Data Storage

The Office of the Privacy Commissioner (OPC) of Canada has announced that whilst there has been an increasing trend towards online storage of personal information by Canadian businesses, many lack the tools to properly secure this information, such as by encryption. According to the OPC, “companies are storing personal information on a variety of digital devices, such as desktop computers (55%), servers (47%) and portable devices (23%)”. However, even though 73% of these companies have measures in place to secure the information from unlawful access, the measures are not strong enough. The majority of businesses use passwords to protect personal information, but “39% do not have controls in place to ensure that those passwords are difficult to guess, and 27% never require employees to change passwords”. The OPC has advised that passwords should be “complex and dynamic” and that secondary measures, such as encryption, should be taken by companies which store personal information.

OPC’s media release (4 May 2012)
(Source: OPC)

Report Identifies Worrying Data Breach Trends Worldwide

The Office of the Privacy Commissioner (OPC) of Canada has announced that the 2012 Data Breach Investigations Report (undated) published by Verizon Business (Verizon) “highlights some extremely troubling trends about the types of data breaches occurring around the globe and also how organi[s]ations of all sizes are failing to adequately respond to new threats”. Of the 855 breaches in 2011 studied by Verizon, which were spread across 36 countries and compromised over 174 million records, 98% involved external agents such as organised criminals, 81% involved hacking and 69% involved malware. The OPC noted that 92% of the breaches were detected by a third party, not the organisations themselves.

OPC’s media release (8 May 2012)
(Source: OPC; Verizon)

Welsh NHS Receives Unprecedented Penalty Following Serious Data Breach
Europe, Middle East and Africa

The United Kingdom (UK) Information Commissioner’s Office (ICO) has announced that Welsh health board Aneurin Bevan Health Board (ABHB) is the first [National Health Service (NHS)] organisation to be served a monetary penalty, of £70,000, “after a sensitive report – containing explicit details relating to a patient’s health – was sent to the wrong person”. The breach came about after a doctor failed to provide a secretary with sufficient information about a patient to format a letter, and “also misspelt the name of the patient at one point, which led to the report being sent to a former patient with a very similar name in March [2011]“. The ICO stated that its investigation revealed a lack of adequate checks in place to ensure that data breaches did not occur, and that neither of the relevant staff members had received data protection training. The ABHB has agreed to training all staff on data protection, implementing “appropriate and regular monitoring of compliance with policies on data protection and [information technolgy] security” and ensuring that “new checking processes are introduced across all sites to confirm a patient’s identity before personal information is sent out”.

ICO’s media release (30 April 2012)
(Source: ICO)

Interactive Website Fails to Test for Security Leak
Europe, Middle East and Africa

The UK Information Commissioners Office (ICO) has found that Toshiba Information Systems (UK) has breached the Data Protection Act 1998.  The ICO stated that the personal details of individuals registered for an online competition on the company’s website were accessible due to a security flaw. The information included names, addresses and dates of birth, along with contact information. The ICO found that the measures put in place by Toshiba were insufficient “to detect that a Web design error had been made by a third party developer”. ICO head of enforcement Stephen Eckersley urged “UK organisations with interactive websites to make sure they have suitable checks in place before collecting peoples’ details online”. Toshiba has made an undertaking (undated) which includes “the introduction of appropriate and proportionate data security testing on relevant Web applications before they are launched”.

ICO’s media release (17 April 2012)
(Source: ICO;

Physician Practice Fails to Comply with Privacy and Security Rules

The US Department of Health and Human Services (HHS) has announced that Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, is being investigated for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  Phoenix’s physician practice was “posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible”. Further investigation indicated that the practice “had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI)”.

OCR director Leon Rodriguez stated that the case “is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules”. He also said that health care providers needed to understand that the the “OCR expects full compliance [with the HIPPA rules] no matter the size of a covered entity.”

Phoenix has “agreed to pay the HHS a [US]$100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients”.

HHS’s Media Release (17 April 2012)
(Source: HHS)