DataBreaches hates reporting on an incident when the entity has not yet secured misconfigured storage, but after four months of futile efforts to get a Canadian clinic to respond to responsible disclosures, maybe publication will help get them off the dime.
Bolton Walk-In Clinic in Ontario has a data protection policy that says:
We are committed to ensuring the security of your personal information. We have implemented appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online. However, please be aware that no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
That may sound reassuring, but they have not implemented appropriate managerial procedures to safeguard patient data, and patients may reasonably question their commitment to ensuring the security of patients’ files when they repeatedly ignore responsible disclosure attempts to alert them to their security problem.
On August 6, a researcher who has asked for anonymity contacted DataBreaches to report that Bolton Walk-In Clinic in Ontario had backup storage that was exposing data. One of the three backups was encrypted but that was not the backup with patient data. The patient data were in plain text and exposed in a backup with more than 300 GB of files.
Not finding any email address to use, DataBreaches sent a note to the clinic via their site contact form, alerting them to the misconfiguration. But by the next day, when there was no response and the data were still vulnerable, DataBreaches called them on the phone. DataBreaches subsequently summarized the phone call to the researcher in a note:
un******* believable… I had to call Bolton 3 times…. and finally get a person who calls me “honey” and says she doesn’t see any message from yesterday with the subject line “responsible disclosure..” so I interrupt her and told her to get her IT guy and tell them they are leaking patient data and give them my phone number if they can’t figure it out from that message. What a waste of my time…. They had me on hold for 5 minutes just to be sent back to the same person who had no idea what to do in the first call. And they didn’t call me back.
Fastforward to this week. The backup is still misconfigured and updating and exposing patient data. Some of the patient data appears to go back more than a decade.
DataBreaches sent one more message to the clinic yesterday via their website’s contact form, noting that I had first contacted them and then called them in August and yet they never did anything and are still exposing patient data. The note included the specific information on the backup and this:
According to white hat researchers who alerted this site to your leak, you have been leaking all the data since at least May 2024 and possibly much earlier. I have no idea how many unauthorized individuals or criminals may have already pulled down all your patient data to misuse it
The note included all DataBreaches’ contact info.
As of this morning, the backups are still exposed.
“We are committed to ensuring…”
Let’s look at their policy again: “We are committed to ensuring the security of your personal information. We have implemented appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.”
The researcher tells DataBreaches that they were routinely connecting to the backup every month, which suggests that not only did the clinic ignore the responsible disclosure attempts, but they or their vendor never detected any of an unknown number of unauthorized accesses or downloads.
If you have ever been a patient at the Bolton Walk-In Clinic
If you have ever been a patient at the Bolton Walk-In Clinic, you may want to call the clinic at +1 905-857-3260 to ask them whether your information has been exposed in the unsecured backup that this site is reporting on. Ask them if they have logs to show for how long the data has been exposed, how many unauthorized IP addresses have accessed it, and how many unauthorized IP addresses have downloaded files.
Then ask them what they are going to do going forward to secure your information.
Or maybe the Information and Privacy Commissioner of Ontario can get the clinic to take action to secure patient information if some patient files a complaint.
Update of December 17: Following publication of the post, DataBreaches was contacted by the Canadian Centre for Cyber Security who offered to help. On December 3, DataBreaches gave them all the details as to where the data were exposed, etc. But as of yesterday, the clinic’s data are STILL exposed. Canadian authorties inform DataBreaches that Bolton didn’t even respond appropriately when contacted by federal police in Canada.
Today, DataBreaches will be alerting some law firms whose clients’ information has been exposed due to the leak. Maybe they will contact Bolton and tell them to lock down their data.
If Bolton doesn’t know what to do to secure their patient data, they should contact the Canadian Centre for Cyber Security and tell them they need help responding to the notifications they have received that they are leaking sensitive patient data.
Thank you for your detailed information. These people at the clinic are bone heads. No brain to think and at least stop the leak. I hope they will be fined for such ignorance.