When you go to a doctor or another medical professional, you’re entrusting them with not only your personal health records, but other private information such as your address, phone number, health insurance, and even your credit card data. Yet in 2013, Canadian care clinics Medicentres was the victim of one of the most significant data leaks in the country’s history. What transpired in this case?
In late 2013, Canada’s Medicentres announced that data was breached at one of its 27 clinics, which include more than 620,000 patients in all. This occurred as the result of a stolen laptop. Unfortunately, Medicentres refrained from letting its extensive patient list know what was going on for more than four months after the incident because of a badly-planned procedures and policy review.
If you’re wondering how a data breach of this magnitude can take place, you’re certainly going to want to keep reading. We’ll discuss more about Medicentres’ history, the incident, and what you can do to protect your own private data going forward.
Who Is Medicentres?
Medicentres is a group of family healthcare clinics throughout Canada. They have more than 25 locations in all, including in the following parts of Canada:
- In Ontario, the Wonderland Clinic and the Malden Clinic
- In Manitoba, the Parkview Clinic and the Interlake Clinic
- In Alberta-Lethbridge, the Medicentres Haig West and the Medicentres Haig South
- In Alberta-Edmonton, the Westgrove Clinic, Westgate Clinic, Sherwood Park Clinic, Riverbend Clinic, Pleasantview Clinic, Millwoods Clinic, McKenney Clinic, Londonberry Clinic, Kingway Clinic, Hermitage Clinic, Heritage View Clinic, Ellerslie Clinic, Downtown Clinic, Castledowns Clinic, Capilano Clinic, Belmont Clinic, and the Belle River Clinic
- In Alberta-Calgary, the South Trail Clinic, Panorama Hills Clinic, Mount Royal Clinic, Horizon Square Clinic, Heritage Hill Clinic, Forest Lawn Clinic, Crowfoot Corner Clinic, and the Country Hills Clinic
Per information on the case, Medicentres had more than 620,000 patients as of 2013 spread across those clinics. The services Medicentres offers are prenatal care, pediatrics, pap care, podiatry, orthopedics, occupational health, minor procedures, mental health, internal medicine, gynecology, and chiropractic care. They also have family doctors who act as primary care physicians.
What Happened?
On September 26th, 2013, the Edmonton Medicentre Family Health Care Clinics had an IT consultant in the building who stole one of the Medicentres laptops. This laptop was unencrypted, meaning it was quite easy to capture and leak the data included on it.
It wasn’t until October 1st, 2013 that the Medicentres in Edmonton reached out to Alberta’s Office of the Information and Privacy Commissioner as well as Edmonton police. It’s unclear what the delay was here initially, but it wasn’t the only delay in this case, nor was it the most detrimental.
Four months later, Medicentres was in touch with Canada’s Ministry of Health about the incident as well as their own patients, of which more than 600,000 were potentially affected by the data leak.
According to Medicentres themselves, they had been reviewing the procedures and policies that dictate their healthcare business, and that’s why it took so long to tell their customers what had happened. Also, the Christmas holiday, when staff took vacation time, delayed progress. In that time, Medicentres as a whole began encrypting their portable computing devices, doing administrative and security risk audits, and determining corrective actions.
What kind of patient information was leaked to the masses? Patients’ full names, health information numbers, and birthdates were part of the leak, but fortunately, medical records and social security numbers were not. Still, even the leaked information being in the wrong hands is damaging despite that identity theft probably can’t occur.
What Were the Consequences?
In January 2014, Edmonton’s privacy commissioner began digging deeper into the Medicentres data breach. The country’s health minister was incensed about the delay from Medicentres and said as much to reporters.
What was found was that the health clinic “did not provide guidance to the contracted IT consultant about the protection of health information,” nor did they “take reasonable steps to safeguard health information on the computer laptop,” says a Global News writeup on the case.
Some of Medicentres’ patients decided to file a class-action lawsuit against the clinic, working with Winnipeg law firm D’Arcy & Deacon LLP among other firms to sue Medicentres for an $11 million settlement. The parties claimed lost wages and time trying to protect their identities from theft as well as mental distress and credit damage.
The lawsuit did get resolved with a settlement of only $725,000 paid out from Medicentres, which is a lot less than the ex-patients originally asked for.
When the data breach occurred, Medicentres felt confident that identity theft was unlikely for the patients because patients’ social security numbers and health records were spared from the breach. Medicentres also suggested that patients check their credit card statements for a while without any credit monitoring services offered to the affected parties.
Medicentres is still in operation today. The breach, while certainly damaging, isn’t as damning as some of the other data leak cases we’ve discussed, so there’s no reason for Medicentres not to have survived and continue to do business.
What Was Learned?
For a clinic that claims to care so much about the health of its patients, Medicentres acted very poorly here. First of all, the clinic wasn’t even aware of the breach when it happened, leaving everyone very vulnerable. Remember that it took nearly a week for Medicentres to catch on that their laptop had even been stolen. By then, it was way too late to mitigate damages, as the worst had already been done.
The reason for the delay could have been because there are so many Medicentres operating across Canada, so the news may have spread more slowly. If that’s the case, then it’s acceptable to a degree, as it may have been unavoidable. What’s not acceptable is how long Medicentres waited to get the police involved, and then how much longer they waited (four months) to let their own patients know.
These are the people affected by the data leak most, so they should have been at the top of the priority list. The internal reviews and reparations on the part of Medicentre could have waited until later after their patients decided what they wanted to do.
Even still, Medicentres had a very cold, uncaring attitude towards their own patients, claiming their patients should watch their credit but offering no assistance. They stood by their statement that their data leak wasn’t damaging, but that clearly wasn’t enough to give their patients peace of mind, as they sued Medicentres in the end.
Here are some takeaways from the Medicentres data leak case:
- If you’re part of a company and you notice a leak occurred, get in touch with the correct authorities immediately.
- Always let your customers know about a breach as soon as you become aware of it, as they’re the ones affected.
- Be caring towards your customers if you want to retain them. Breaches happen, but your attitude will go a long way towards your customers trusting you again or not.
- Use the Noftek security system to keep your data protected from within so unencrypted laptops are a thing of the past.