DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More transparency needed in Health Authority insider breaches

Posted on August 3, 2012 by Dissent

CBC News reports:

Health authorities in Labrador and central Newfoundland acknowledge they have disciplined workers for previously-unreported privacy breaches.

Last year, Central Health admitted to a serious breach of privacy involving 19 patients. The employee responsible was fired.

Since then, the board has not publicly reported any other breaches — until being asked by CBC News.

“We did not disclose two,” Central Health CEO Karen McGrath said. “While they were serious, we believed we had talked to, disclosed to the clients themselves, and felt it was not either in the best interest of the clients to actually publicly disclose this.”

McGrath says that both cases involved less than 10 patients. In one case the employee was suspended; in the other, the employee quit.

Central Health did inform the privacy commissioner, but had no intention of informing the public.

“I think that’s true for all the health authorities,” McGrath said. “We don’t disclose all breaches.”

Read more on CBC News.

And why should they disclose publicly if they don’t have to, right?

Even when they do disclose breaches – to patients or the public – full transparency may not be the order of the day for the health authorities. This week, I posted an item about a breach at Western Health Authority in Newfoundland.  Western Health had reportedly fired an employee who improperly accessed over 1,000 patients’ records.  Neither the media report nor a statement on Western Health’s web site addressed the employee’s motivation in accessing the patient records.

I contacted the health authority and asked for a statement about the motivation behind the access.  By email, a spokesperson replied that they were not able to comment on the motives of the employee.

Why not? Do they not know?  Or do they know but are refusing to disclose?

Those who are affected by a breach need to know sufficient details so that they can evaluate the risk of harm. An employee who’s snooping out of curiosity is one thing.  An employee who is accessing records and possibly recording information to be misused subsequently is something else. Both are problematic – especially if the health records contain sensitive information – but how can patients assess the situation if important information is withheld from them?

The Western Health Authority did not name the employee, and I do not criticize them for that. But unless authorities are legally prohibited from disclosing more details about the breach, I think they not only should, but owe it to the victims of the breach to do so.

Because other breaches were not disclosed publicly, I do not know whether patients were provided with any explanation of those insider breaches. In at least one publicly reported case, they were. But the rest?

It seems that it’s not just the U.S. that needs a mandatory breach notification law that includes important elements of breach details.

Update: Apparently, the New Democrats agree more transparency is needed.

No related posts.

Category: Health Data

Post navigation

← Australian Fishing Trade Association (AFTA) Hacked, 900 Accounts Leaked By #DoktorBass
Defining Reasonable Security →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The data appear fake. (1)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases
  • Multiple lawsuits filed against Doyon Ltd over April 2024 data breach and late notification
  • Chinese hackers suspected in breach of powerful DC law firm
  • Qilin Emerged as The Most Active Group, Exploiting Unpatched Fortinet Vulnerabilities
  • CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’
  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.