Alberta Office of the Information Privacy Commissioner Annual Report
Recently, the Alberta Office of the Information Privacy Commissioner (OIPC) released their Annual Report 2019/2020.
The report is from April 2019 to March 2020. This is the first full year of mandatory privacy breach reporting requirements in Alberta.
Because of the volume of the privacy breaches, the OIPC have now chosen to triage privacy breach reports. They are fast tracking any of those breaches where individuals have not yet been notified about that privacy breach or where there is a potential offense is suspected.
If you've submitted a privacy breach report to the commissioner's office and haven't heard from them yet, it may be because it's gone through this triage process and, if you have completed an internal investigation and notified affected individuals, your breach report has not been flagged as a high priority.
The OIPC conducted investigations regarding offences under the Health Information Act (HIA), usually privacy beaches. In that time period, they forwarded 18 cases to the Special Prosecutions Branch of Alberta Justice for further investigation.
Privacy Breach Trends
There were some interesting privacy breach trends that were reported by the commissioner's office that were reported to them under the PIPA legislation, the Personal Information Protection Act. Of the cases that were reported to them, a hundred of them were all electronic systems compromises. So they have lost some security in the computer network system of some kind, either that was in their direct control or by a third party vendor.
Human error is still a large source of privacy breaches. This can include both misdirected communications, such as miss-sent snail mail, email, or faxes; and unauthorized disclosure, such as when health providers discuss health information with other providers not involved in the patient care.
There were also 20 incidences of theft that they noted in this report and it included rogue employees.
Snooping continues to be an issue, although the report did not provide numbers to go with that.
Ransomware is also a serious issue, one that the commissioner office predicts to continue, particularly in clinics who have a lack of technical security controls on their computer systems.
Social engineering, which is tricking someone into divulging information based on false pretenses and assumptions, is a significant danger in the healthcare industry.
Social Engineering Example
Somebody posed as a pharmacist and wrote emails to pharmacies in order to get information about a particular patient. The email reads like the patient traveled from one location to another location and the fraudulent pharmacist is asking their buddy pharmacists at the other location to provide some information.
This social engineering campaign was considered a significant threat and the college of pharmacists actually released an advisory to pharmacies to warn them of this social engineering attack.
This is a good word of caution for all of us is to not make assumptions just because somebody's email signature line says a pharmacist or other healthcare provider. We still need to make sure that we have verified the identity of that individual and not rely on that email signature alone.
You can download the report from the OIPC website. It provides a variety of other statistics and examples about investigations reports and privacy breach trends that may be of interest to you.