November 23, 2007
Province Acts to Investigate Security Breach
The protection of the private and confidential information of the provinceís residents is paramount, noted the Honourable Jerome Kennedy, Minister of Justice and Attorney General, as he outlined today the quick and decisive actions taken by the Provincial Government in response to a security breach related to patient information held by the Provincial Public Health Laboratory (PHL).
"On Tuesday evening of this week, there was a security breach that exposed the confidential information of some patients whose test results are held by our Provincial Public Health Laboratory," said Minister Kennedy. "This is a very serious matter that required immediate action."
The PHL acts as the provincial laboratory centre for infectious disease surveillance and control. It provides routine, specialized and reference laboratory services in clinical and public health microbiology to all hospitals, clinics and other health-related agencies in the province.
The security breach involved the exposure of files containing patient information through an open Internet connection. The files were stored on a desktop computer normally housed within the PHL but was being used externally in the home office of a consultant on contract with the laboratory. The consultant became aware of the potential breach when called by an individual identifying himself as a representative of a computer security company who claimed he was in possession of some of the patient information stored on the consultantís computer.
"Upon learning of this situation, our government instigated an immediate process to determine what the scope of the breach might be," said Minister Kennedy. "We engaged the Office of the Chief Information Officer (OCIO) for its expertise and advice in this matter, we contacted the Royal Newfoundland Constabulary and we secured the services of a Canadian technology company specializing in information and infrastructure security. This company is now in the process of completing a complete forensic investigation of the computer involved. This will provide the clearest picture possible of the details relating to this breach of private patient information."
Until the forensic investigation is complete, the number of patients whose information may have been exposed cannot be determined. Patient information held by PHL includes names, MCP numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.
"This appears to be an isolated situation," said Minister Kennedy. "The information garnered from our investigation thus far supports this. Because the external computer was not part of the systems and networks of either the laboratory or Eastern Health, which provides IT support to PHL, this breach in no way reflects on the integrity of these systems. We can say unequivocally that all other patient information stored by our government and the regional health authorities was in no way jeopardized by this one situation with one computer external to our networks."
- 30 -
2007 11 23 3:50 p.m.
All material copyright the Government of Newfoundland and Labrador. No unauthorized copying or redeployment permitted. The Government assumes no responsibility for the accuracy of any material deployed on an unauthorized server.