Canadian University Server Breached
Contained Medical Info on 12,000 PatientsBritish Columbia Institute of Technology has notified students, faculty and staff that a computer server containing personal medical information of 12,680 individuals was accessed by an unauthorized party.
See Also: Your Complete Guide to Healthcare Managed Defense
Audit analysis by the school so far indicates that the unauthorized activity was limited to using the server for downloading and uploading foreign films, rather than accessing individuals' records, says Dave Pinton, BCIT's director of communications.
"Forensics indicate that this was an automated [occurrence] from an outsider," Pinton says. It appears that the break-in wasn't designed to obtain information, but rather to access a robust Internet connection to upload and download foreign movies, he says. "None of films were pornographic," he adds.
"From what we can tell, no data about any individual had been accessed or misused, he says. "I wouldn't characterize it as a hacker," he says.
In a notification posted on its website, BCIT says the records on the server contained personal information that is collected and used for billing purposes, including name and date of birth, phone numbers and addresses, medical services plan number, personal health plan number, as well as treatment billing codes and descriptions.
The breach was discovered on June 11, 2012 during a scheduled security audit by the institute's information technology services department. The intruder accessed a single computer server associated with the Student Health Services Medical Clinic at the BCIT Burnaby Campus.
The records on the server date from October 2005 to June 11, 2012.
BCIT has conducted an investigation and taken steps to mitigate the risk of personal information being compromised, says Pinton. The server was taken off-line immediately and its hard drives were removed and analyzed.
BCIT has contacted the Office of Information and Privacy Commissioner for British Columbia about the matter and is working with the agency to ensure privacy standards are upheld at the school, said Pinton.
Because the affected server did not contain Social Information Numbers, which are Canada's equivalent of America's Social Security Numbers, no credit monitoring services are being offered by the school.
In its notification, BCTI says, "We sincerely regret and apologize for this incident. Please be assured we are taking immediate action to address the situation and will be reviewing our physical, technical, and administrative information security process and following up with recommendations and implementing further preventative measures and safeguards."
In addition to the notification posted on its site, BCIT has emailed notices to students, faculty and staff whose personal information was on the affected server, and letters from BCTI president Don Wright were also post mailed, Pinton says.
News of the BCTI breach follows a disclosure by the University of Texas MD Anderson Cancer Center that 30,000 of its patients were notified of a data breach after an unencrypted laptop was stolen from a faculty member's home.