Canadian Healthcare Technology Logo
  • Issues
    • Current Print Issue
    • Print Archive
  • Advertise
    • Publishing Schedule
    • Circulation
    • Unit Sizes and Rates
    • Mechanical Requirements
    • Electronic Advertising
    • White Papers
  • Subscribe
    • Print Edition
    • e-Messenger
    • White Papers
  • Events
  • Vendors
  • About Us

GE Revolution Ascend

GE Revolution Ascend

Enovacom EPC

Enovacom EPC

Privacy & Security

Unprotected network called “privacy nightmare”

February 9, 2022


Graham SteeleIQALUIT – Nunavut’s information and privacy commissioner calls an unprotected government network drive he discovered last year a “privacy nightmare,” and says most of the departments affected by the breach have done little to respond to the problem. “I was shocked by what I was able to see,” Graham Steele (pictured) said to Nunatsiaq News, following his release of a Jan. 28 report about his findings.

Steele began a review following a complaint he received in July about a file-sharing system called the “V: drive,” which allowed Government of Nunavut employees to share information between departments.

Each Nunavut community had its own drive, and, when used correctly, it limited who could see files to those with correct permission. But the drive was “often used incorrectly,” and when this occurred, any GN worker from that community could view any document contained within.

Steele said he found “dozens, and maybe hundreds, of files with privacy-invasive content.”

“I saw files with personal information touching on health, education, corrections, child protection, human resources, and more,” the report states.

“Some of it was highly sensitive, like diagnoses, prescriptions, and medical photographs. Some of it, if publicly released, could have endangered the health and safety of GN employees and others. None of it should have been left unprotected on the V: drive.”

Steele is unsure of how long there was open access to the drive, but it was “at minimum, a number of years.”

The network drive served a useful purpose, Steele’s report said: “it allowed cross-departmental collaboration within a community.”

But there were no controls to ensure the drive was being used correctly. Some files could have been uploaded to the V: drive by accident, or because the person uploading didn’t understand privacy risks, states the report. And once a file was up, there was nobody making sure it would get deleted, which led to sensitive documents accumulating over time.

When Steele learned about the issue, he contacted the Department of Community and Government Services, which runs the government’s computer systems. Within several days, access was restricted to the network drive.

In early September, he recommended the government plan to replace and to reconfigure the drive. On Nov. 1, the government shut down the V: drive and replaced it with something more secure.

Yuri Podmoroff, the territorial ATIPP manager, then contacted each public body that had unprotected files on the network drive and told them they should do a privacy breach assessment and, where appropriate, file a privacy breach report.

“That is what the law requires,” Steele’s report states. “I then waited for the privacy breach reports to roll in. And waited. And waited.”

In the end, he said he only received two reports – one from the Department of Economic Development and Transportation, the other from the Justice Department.

The Justice Department found a breach in operational information that, Steele said, “if it got into the wrong hands, could have had significant negative consequences, and might even have put people at risk of harm.”

The Justice Department’s audit found “a surprisingly large number of GN employees had viewed the information, even though there was no operational need for them to do so,” the report states.

“The department would not have known that if it hadn’t investigated. That is exactly why other departments need to do the same.”

Steele is still waiting for Finance, Education, Family Services, Health and Social Services and Community and Government Services to submit their reports, said Angela Petru, a spokesperson for the Department of Executive and Intergovernmental Affairs. Her department is responsible for administration of the Access to Information and Protection of Privacy Act.

“The list is not exhaustive and other GN departments may be asked to conduct their own investigation into the matter,” she said in an email.

Nunatsiaq News asked the affected departments about the status of their investigations. Education spokesperson Troy Rhoades was the only official to respond, with a confirmation that one is underway in his department.

Steele said he published his report to light a fire under other GN departments and public bodies that haven’t submitted their privacy breach reports.

“You owe it to the people of the territory to get that work done,” he said.

PreviousNext

SteraMist (Feb)

SteraMist (Feb)

News and Trends

  • Eastern Ontario hospitals up-and-running on Epic system
  • Osler’s iHuddle app facilitates team communication, collaboration
  • DI: How will radiology change five years from now?
  • Hospitals and imaging centres are grappling with DI backlogs
  • RACE streamlines patient journey
More from the Print Edition

Subscribe

Subscribe

Free of charge to Canadian hospital managers and executives in nursing homes and home-care organizations. Learn More

Follow us on Social Media!

Follow us on Social Media!

Nihi Data [Winter 2023]

Nihi Data [Winter 2023]

WP

WP

Advertise with us

Advertise with us

Sectra One Cloud

Sectra One Cloud

Change Healthcare [2]

Change Healthcare [2]

Infoway [Feb2023]

Infoway [Feb2023]

Zebra

Zebra

CHT print-200×400

CHT print-200x400

SteraMist (Feb)

SteraMist (Feb)

Advertise with us

Advertise with us

Sectra One Cloud

Sectra One Cloud

Change Healthcare [2]

Change Healthcare [2]

Infoway [Feb2023]

Infoway [Feb2023]

Zebra

Zebra

CHT print-200×400

CHT print-200x400

Contact Us

Canadian Healthcare Technology
1118 Centre Street, Suite 207
Thornhill, Ontario, Canada L4J 7R9
Tel: 905-709-2330
Fax: 905-709-2258
info2@canhealth.com

  • Quick Links
    • Current Print Issue
    • Print Archive
    • Events
    • Vendors
    • About Us
  • Advertise
    • Publishing Schedule
    • Circulation
    • Unit Sizes and Rates
    • Mechanical Requirements
    • Electronic Advertising
    • White Papers
  • Subscribe
    • Print Edition
    • e-Messenger
    • White Papers
  • Resources
    • White Papers
    • Writers’ Guidelines
    • Privacy Policy
  • Topics
    • Administrative Solutions
    • Clinical Solutions
    • Companies
    • Continuing Care
    • Diagnostics
    • Education & Training
  •  
    • Electronic Records
    • Government & Policy
    • Infrastructure
    • Innovation
    • People
    • Privacy and Security

© 2023 Canadian Healthcare Technology

The content of Canadian Healthcare Technology is subject to copyright. Reproduction in whole or in part without prior written permission is strictly prohibited. Send all requests for permission to Jerry Zeidenberg, Publisher.

Search Site

Error: Enter a search term

  • Issues
    • Current Print Issue
    • Print Archive
  • Advertise
    • Publishing Schedule
    • Circulation
    • Unit Sizes and Rates
    • Mechanical Requirements
    • Electronic Advertising
    • White Papers
  • Subscribe
    • Print Edition
    • e-Messenger
    • White Papers
  • Events
  • Vendors
  • About Us