Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Canada Security

Thousands of Patient Records Held for Ransom in Ontario Home Care Data Breach, Attackers Claim (www.cbc.ca) 33

CBC reports: The detailed medical histories and contact information of possibly tens of thousands of home-care patients in Ontario are allegedly being held for ransom by thieves who recently raided the computer systems of a health-care provider. CarePartners, which provides home medical care services on behalf of the Ontario government, announced last month that it had been breached. It said only that personal health and financial information of patients had been "inappropriately accessed," and did not elaborate further. However, a group claiming responsibility for the breach recently contacted CBC News and provided a sample of the data it claims to have accessed, shedding new light on the extent of the breach. The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.
This discussion has been archived. No new comments can be posted.

Thousands of Patient Records Held for Ransom in Ontario Home Care Data Breach, Attackers Claim

Comments Filter:
  • Once again . . . (Score:4, Insightful)

    by hduff ( 570443 ) <hoytduff@nOSPAM.gmail.com> on Tuesday July 17, 2018 @01:03PM (#56963430) Homepage Journal

    Once again, a company that is supposed to protect sensitive personal information fails to provide available security measures and exposes sensitive personal information to a host of bad actors. This kind of neglect usually is not at the IT level, but all the way at the top.

    • from the story: "...Under Ontario's Personal Health Information Protection Act, health-care providers are required to "take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information" and ensure that health records are retained securely. Violations of the act can lead to prosecution. If found guilty, companies can be fined up to $500,000, while individuals may be fined up to $100,000..."
      • by mysidia ( 191772 )

        The problem is they can avoid the fines by taking precautions that turn out to fail.
        Instead they should be required to ensure records are not leaked, and the breach itself should incur a fine.

        The fine should not be capped, but should be AT LEAST as many dollars as the attackers stand to gain by selling the information leaked.... that is fine $10,000 or so per person whose Times the Number of People who PII were in the record system that were leaked for sure, and 50% of that for any person w

    • by Anonymous Coward

      This kind of neglect usually is not at the IT level, but all the way at the top.

      HAH. While I am not certain about this particular company, when these companies are only engaged in neglect, it's a win. (There are some good staff at some of the companies, but they generally have to keep their noses down because of the culture. If you did real undercover inspections of elder care in Ontario you would be terrified.)

    • by nuckfuts ( 690967 ) on Tuesday July 17, 2018 @02:45PM (#56964118)

      Yes, protecting sensitive data is an important corporate responsibility, but you seem to be placing 100% of the blame on the victim.

      Having worked as a System Administrator, I can tell you it's not easy to make anything completely secure. There are zero-day exploits. There are hackers who reverse engineer the latest security patches before you arrive at work and have a chance to evaluate & install them. There are extremely talented individuals who work relentlessly, day and night, to find new ways to circumvent your defenses.

      So when, inevitably, someone's security is breached, save a bit of your condemnation for the person(s) committing the crime. There are people holding companies for ransom with no regard for the amount of damage they create. This is what's truly reprehensible.

      • by mysidia ( 191772 )

        I can tell you it's not easy to make anything completely secure.

        And yet there are PLENTY of possible precautions which businesses ignore, because they're too inconvenient to employees or too great a negative impact to the cost savings from using electronic systems instead of paper-based systems.
        Note: There is no obligation to put customer's data in an electronic system. Paper-based systems not connected to any global network have worked for thousands of years and never had a "zero day" exploit --

        • The problem is created by the supposed victim businesses making dunderheaded design decisions...

          They are not supposed victims. They are victims.

          You might as well argue that if someone robs my house I'm to blame because I could have purchased a stronger lock for my door. Or that I'm causing crime by keeping possessions in a house because no lock is infallible.

          In today's world, it is not "gross negligence" to connect a business system to the Internet. It's a typical requirement. Nobody is going back to paper-based systems, and if you would seriously advocate that you are out of touch.

          • by mysidia ( 191772 )

            You might as well argue that if someone robs my house I'm to blame because I could have purchased a stronger lock for my door.

            It's a bad analogy. Presumably the stuff in your house is YOURs, and nobody other than you suffers a loss when it gets stolen.

            When we're talking about patient records --- the stuff you are "securing" is other people's stuff.

            And putting it on an information system connected to the internet is like putting it in buckets or boxes spread out in a massive field protected only b

          • Comment removed based on user account deletion
      • Comment removed based on user account deletion
    • Comment removed based on user account deletion
  • by Anonymous Coward

    Screw the "civilized" way of dealing with this kind of filth. Track them down, find them, kill them.

    This kind of scum is cancer, and must be delth with accordingly.

  • This isn't holding something for ransom. When you pay ransom, you (in theory) get your property back safe and sound and the culprits no longer have it. Here, the culprits have a copy of the data, and they say that if they're given money, they won't release it. Paying them won't make their copy vanish; there's no guarantee they won't take the money and then sell the data to other people. This is simple extortion. I guess that doesn't sound as exciting in a headline, though.

"Life sucks, but death doesn't put out at all...." -- Thomas J. Kopp

Working...