DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

More transparency needed in Health Authority insider breaches

Posted on August 3, 2012 by Dissent

CBC News reports:

Health authorities in Labrador and central Newfoundland acknowledge they have disciplined workers for previously-unreported privacy breaches.

Last year, Central Health admitted to a serious breach of privacy involving 19 patients. The employee responsible was fired.

Since then, the board has not publicly reported any other breaches — until being asked by CBC News.

“We did not disclose two,” Central Health CEO Karen McGrath said. “While they were serious, we believed we had talked to, disclosed to the clients themselves, and felt it was not either in the best interest of the clients to actually publicly disclose this.”

McGrath says that both cases involved less than 10 patients. In one case the employee was suspended; in the other, the employee quit.

Central Health did inform the privacy commissioner, but had no intention of informing the public.

“I think that’s true for all the health authorities,” McGrath said. “We don’t disclose all breaches.”

Read more on CBC News.

And why should they disclose publicly if they don’t have to, right?

Even when they do disclose breaches – to patients or the public – full transparency may not be the order of the day for the health authorities. This week, I posted an item about a breach at Western Health Authority in Newfoundland.  Western Health had reportedly fired an employee who improperly accessed over 1,000 patients’ records.  Neither the media report nor a statement on Western Health’s web site addressed the employee’s motivation in accessing the patient records.

I contacted the health authority and asked for a statement about the motivation behind the access.  By email, a spokesperson replied that they were not able to comment on the motives of the employee.

Why not? Do they not know?  Or do they know but are refusing to disclose?

Those who are affected by a breach need to know sufficient details so that they can evaluate the risk of harm. An employee who’s snooping out of curiosity is one thing.  An employee who is accessing records and possibly recording information to be misused subsequently is something else. Both are problematic – especially if the health records contain sensitive information – but how can patients assess the situation if important information is withheld from them?

The Western Health Authority did not name the employee, and I do not criticize them for that. But unless authorities are legally prohibited from disclosing more details about the breach, I think they not only should, but owe it to the victims of the breach to do so.

Because other breaches were not disclosed publicly, I do not know whether patients were provided with any explanation of those insider breaches. In at least one publicly reported case, they were. But the rest?

It seems that it’s not just the U.S. that needs a mandatory breach notification law that includes important elements of breach details.

Update: Apparently, the New Democrats agree more transparency is needed.

No related posts.

Category: Health Data

Post navigation

← Australian Fishing Trade Association (AFTA) Hacked, 900 Accounts Leaked By #DoktorBass
Defining Reasonable Security →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.