Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Patient Records Held for Ransom in Ontario Home Care Data Breach, Attackers Claim (www.cbc.ca)

Posted by msmash on from the security-woes dept.

CBC reports: The detailed medical histories and contact information of possibly tens of thousands of home-care patients in Ontario are allegedly being held for ransom by thieves who recently raided the computer systems of a health-care provider. CarePartners, which provides home medical care services on behalf of the Ontario government, announced last month that it had been breached. It said only that personal health and financial information of patients had been "inappropriately accessed," and did not elaborate further. However, a group claiming responsibility for the breach recently contacted CBC News and provided a sample of the data it claims to have accessed, shedding new light on the extent of the breach. The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.

33 comments

  1. Once again . . . by hduff · · Score: 3, Insightful

    Once again, a company that is supposed to protect sensitive personal information fails to provide available security measures and exposes sensitive personal information to a host of bad actors. This kind of neglect usually is not at the IT level, but all the way at the top.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Once again . . . by ole_timer · · Score: 2

      from the story: "...Under Ontario's Personal Health Information Protection Act, health-care providers are required to "take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information" and ensure that health records are retained securely. Violations of the act can lead to prosecution. If found guilty, companies can be fined up to $500,000, while individuals may be fined up to $100,000..."

      --
      nothing to see here - move along
    2. Re:Once again . . . by nuckfuts · · Score: 3, Insightful

      Yes, protecting sensitive data is an important corporate responsibility, but you seem to be placing 100% of the blame on the victim.

      Having worked as a System Administrator, I can tell you it's not easy to make anything completely secure. There are zero-day exploits. There are hackers who reverse engineer the latest security patches before you arrive at work and have a chance to evaluate & install them. There are extremely talented individuals who work relentlessly, day and night, to find new ways to circumvent your defenses.

      So when, inevitably, someone's security is breached, save a bit of your condemnation for the person(s) committing the crime. There are people holding companies for ransom with no regard for the amount of damage they create. This is what's truly reprehensible.

    3. Re:Once again . . . by Anonymous Coward · · Score: 0

      Maybe they shouldn't be required to take precautions, but required instead to successfully protect.

      Surely, they can demonstrate controls to protect the data. Those controls were insufficient by definition.

    4. Re:Once again . . . by mysidia · · Score: 1

      The problem is they can avoid the fines by taking precautions that turn out to fail.
      Instead they should be required to ensure records are not leaked, and the breach itself should incur a fine.

      The fine should not be capped, but should be AT LEAST as many dollars as the attackers stand to gain by selling the information leaked.... that is fine $10,000 or so per person whose Times the Number of People who PII were in the record system that were leaked for sure, and 50% of that for any person whose PII was in the system and whose record MIGHT have been leaked, but that the company can't prove was not accessed or leaked.

    5. Re:Once again . . . by mysidia · · Score: 1

      I can tell you it's not easy to make anything completely secure.

      And yet there are PLENTY of possible precautions which businesses ignore, because they're too inconvenient to employees or too great a negative impact to the cost savings from using electronic systems instead of paper-based systems.
      Note: There is no obligation to put customer's data in an electronic system. Paper-based systems not connected to any global network have worked for thousands of years and never had a "zero day" exploit ---- Airgapped records systems with dedicated business operations desktops that have no internet connection also work lovely.

      There are zero-day exploits.

      Yes.... and ANY system designer should be aware zero-day exploits exist before they start building an Information Management System.

      Perhaps the ones that thought it was a "cool idea" to set it up directly on the internet as a publicly accessible cloud service should be charged with gross negligence.

      So when, inevitably, someone's security is breached, save a bit of your condemnation for the person(s) committing the crime.

      The problem is created by the supposed victim businesses making dunderheaded design decisions that causes systems that are EASY to exploit ---- Like knowing that immeasurable zero-day exploits exist against common operating systems and frameworks which are all insecure, AND choosing to use those OSes and frameworks to build their systems AND then willfully hooking them up those systems to be able to access the public internet anyways, who Know or Ought to Know such issues exist.

    6. Re:Once again . . . by nuckfuts · · Score: 1

      The problem is created by the supposed victim businesses making dunderheaded design decisions...

      They are not supposed victims. They are victims.

      You might as well argue that if someone robs my house I'm to blame because I could have purchased a stronger lock for my door. Or that I'm causing crime by keeping possessions in a house because no lock is infallible.

      In today's world, it is not "gross negligence" to connect a business system to the Internet. It's a typical requirement. Nobody is going back to paper-based systems, and if you would seriously advocate that you are out of touch.

    7. Re:Once again . . . by mysidia · · Score: 1

      You might as well argue that if someone robs my house I'm to blame because I could have purchased a stronger lock for my door.

      It's a bad analogy. Presumably the stuff in your house is YOURs, and nobody other than you suffers a loss when it gets stolen.

      When we're talking about patient records --- the stuff you are "securing" is other people's stuff.

      And putting it on an information system connected to the internet is like putting it in buckets or boxes spread out in a massive field protected only by a fence with minimal maintenance budget placed around the borders of your property line which is adjacent to a public forest well-known to be teaming with thieves and undesirables.

      Also, while your fence generally looks well built: there are places where there are holes in it that someone could slip in, or perhaps some "unexpected" exploit could allow some random person to jump your fence and then go make off with your customer's information, but minimal direct damage to your business (as long as you're able to minimize the reputation impact).

      PII is valuable, and is deserving of Not being left out in a field --- it needs to be put in a Vault, which in the real world means PII is encrypted at rest and transit, And kept encrypted at all times, and the systems are designed so that authorization to extract PII cannot be approved by an internet-connected host.

      In today's world, it is not "gross negligence" to connect a business system to the Internet. It's a typical requirement.

      Creating direct connections between business systems and the internet is no fundamental business requirement. It is a "requirement" that could only come from almost completely ignoring security considerations.

    8. Re:Once again . . . by datavirtue · · Score: 1

      Healthcare has about the same level of security as a manufacturing facility would have for its PLCs. Don't expect any to be close to secure without a major, right-headed investment.

      --
      I object to power without constructive purpose. --Spock
    9. Re:Once again . . . by datavirtue · · Score: 1

      Bullshit. You can't blame the system admin. They only install/run the shit software that is purchased by a committee.

      Sure, deploy some rubyonrails trash heap and access it with Windows XP and IE...what could go wrong?

      Welcome to database dump land.

      Even if they did hire good security people and listened to them they would have to back out of an extremely costly deployment and fix everything...not going to happen. Did I mention they would have to contact the defunct software manufacturer for updates and security patches?

      There is a lot of mom-and-pop software/SaaS in healthcare just waiting to be owned.

      --
      I object to power without constructive purpose. --Spock
    10. Re:Once again . . . by datavirtue · · Score: 1

      You can purchase a strong lock for your door and if a business does not do this they are negligent. However, information security cannot be purchased!! It is a development effort involving the business, system administrators and software programmers. You have to hire very knowledgeable and experienced people that are dedicated to security with the resources to be affective.

      --
      I object to power without constructive purpose. --Spock
  2. Canada, eh? by Anonymous Coward · · Score: 0

    What kind of patient records do they have
    â"patient hosehead was hurt while drunkenly clubbing baby seals
    â"hoser drunkenly body checked a grizzly bear, eh

  3. Trump asked the attackers if they really did it by Anonymous Coward · · Score: 0, Troll

    and they denied it. So who is to say there has even been a breach?

    1. Re:Trump asked the attackers if they really did it by Anonymous Coward · · Score: 0

      Both sides are to blame.

  4. Not as critical in Canada vs US by Anonymous Coward · · Score: 0

    While not downplaying the impact of the breach, the exposure of Canadian healthcare records isn't as dire as the same thing would be in the USA. There are no insurance premiums to raise on anyone with any condition since almost everything is covered regardless. No worries about condition X getting out and being denied a claim based on it.

    1. Re:Not as critical in Canada vs US by snapsnap · · Score: 2

      That's not true at all. From: https://www.healthcare.gov/coverage/pre-existing-conditions/ "No insurance plan can reject you, charge you more, or refuse to pay for essential health benefits for any condition you had before your coverage started." It's one of the reasons health insurance is so expensive since you can just wait until you need it.

    2. Re:Not as critical in Canada vs US by Anonymous Coward · · Score: 1

      In the US, you can't even charge pregnant women more that wait until up to two months after birth to buy coverage, and the coverage is back dated by up to two months. My sister waited until after my poor niece was born early and had to spend two weeks in the hospital. She saved thousands by not buying insurance, abused the system, then dropped coverage after the first month since it covered everything she needed. It's too easy to game the system.

    3. Re:Not as critical in Canada vs US by bws111 · · Score: 1

      Wait, you don't think your health insurance provider knows your medical history? Do you think they just blindly pay whatever is submitted without knowing what they are paying for and why they are paying it?

    4. Re:Not as critical in Canada vs US by Anonymous Coward · · Score: 1

      Why is it every time healthcare in the US is talked about, foreign trolls come out of the woodwork?

      In the US, you cannot charge more for preexisting conditions. You can't even charge more for voluntary preexisting conditions such as pregnancy, self-harm, or alcoholism.

    5. Re:Not as critical in Canada vs US by Anonymous Coward · · Score: 0

      Wait, you don't think your health insurance provider knows your medical history?

      Well, no. Over the course of a lifetime, you might have more than one insurance provider.

      For example, thirty years ago you might have broken your leg, but the records of that might no longer exist today.

      If you develop a leg issue today, an insurance company might claim that is a preexisting condition and not cover it.

      On the other hand, if your current insurer doesn't know about the broken leg...

    6. Re:Not as critical in Canada vs US by bws111 · · Score: 1

      If you have a policy that does not include pre-existing conditions (you don't since it is illegal), then the insurer will both do an examination of you and ask your medical history. No need for 'leaked' records. If you lie, that is fraud.

    7. Re:Not as critical in Canada vs US by Anonymous Coward · · Score: 0

      Because 99% of those who post on /. as anonymous cowards are ignorant worthless keyboard warriors who think they know everything even though they've never been out of their mother's basement, except maybe to go to the bathroom (if there's no bathroom in their mother's basement).

    8. Re:Not as critical in Canada vs US by sjames · · Score: 2

      That's actually why the ACA had a penalty for not being insured. Trump and the GOP did away with that hoping to make it all blow up since they couldn't manage to repeal it properly after trying 85 times.

      In turn, the penalty was a problem because too many red states did their best to make it hard to get coverage.

    9. Re: Not as critical in Canada vs US by Anonymous Coward · · Score: 0

      In the United States, a couple of firms have a medical history of an individual, that is as complete as your medical provider, but goes back decades. Getting acess to them has always been difficult.

    10. Re:Not as critical in Canada vs US by Anonymous Coward · · Score: 0

      ...said someone posting as AC.

    11. Re:Not as critical in Canada vs US by datavirtue · · Score: 1

      Right. The only hope was single payer instead of hacky heavy-handed laws. People would have complained less about single payer than being forced to buy shitty, expensive insurance.

      --
      I object to power without constructive purpose. --Spock
    12. Re:Not as critical in Canada vs US by datavirtue · · Score: 1

      They will find it on Facebook where you posted pics and talked about your broken leg.

      --
      I object to power without constructive purpose. --Spock
  5. "Company" by Anonymous Coward · · Score: 1

    This kind of neglect usually is not at the IT level, but all the way at the top.

    HAH. While I am not certain about this particular company, when these companies are only engaged in neglect, it's a win. (There are some good staff at some of the companies, but they generally have to keep their noses down because of the culture. If you did real undercover inspections of elder care in Ontario you would be terrified.)

  6. Enough with this bullshit by Anonymous Coward · · Score: 1

    Screw the "civilized" way of dealing with this kind of filth. Track them down, find them, kill them.

    This kind of scum is cancer, and must be delth with accordingly.

    1. Re:Enough with this bullshit by datavirtue · · Score: 1

      I used to penetration testing at a college in my spare time in IT there. We installed a new $200k wireless system and I demonstrated how to hijack a session and gain access to the system. I asked my IT director what he was going to do about this and he said "break the mother fucker's hands." I stopped documenting exploits.

      --
      I object to power without constructive purpose. --Spock
  7. Ransom? by Translation+Error · · Score: 1

    This isn't holding something for ransom. When you pay ransom, you (in theory) get your property back safe and sound and the culprits no longer have it. Here, the culprits have a copy of the data, and they say that if they're given money, they won't release it. Paying them won't make their copy vanish; there's no guarantee they won't take the money and then sell the data to other people. This is simple extortion. I guess that doesn't sound as exciting in a headline, though.

    --
    When someone says, "Any fool can see ..." they're usually exactly right.
  8. Privacy is a JOKE in Canada by Anonymous Coward · · Score: 0

    Having been through the process of a formal complaint, Privycom (Privacy Comissioner), is a part of it too. They have _zero_ actual enforcement powers. Instead they are in effect a feel-good pat on the back for the Canadian Government when it needs someone to take the fall.

    The fines they "issue" are slaps on the wrist, nothing more. If you've ever had the rather unfortunate luck of dealing with them you'd know there's _zero_ fucks given toward actual long term damnages of having your data stolen. The issue "guidelines", with more exemptions then our immigration policy and use it as a self fulfilling, rhetorical bible -- "Our guidelines state companies cannot do X unless Y". Yet in my case they couldn't even provide a document stating what landlords can access from credit agencies (turns out it's a fuck of a lot).

    At the end of the day we have little to no privacy.