Providing Gastroenterology Care to the Fraser North Health Region

Aug 1, 2024

 Hello,

 We are writing to notify you of a data security incident that may have involved your personal health information. We take the protection of personal health information very seriously and are sending you this correspondence to tell you what happened, what information was involved, and what we have done to address the situation. We appreciate that this news may be concerning, and we apologize.

 

What happened

We recently discovered that an unauthorized third party accessed our clinic’s electronic medical record (EMR) remotely and downloaded patient files stored on the EMR. Based on our investigation to date, we determined that the unauthorized activity occurred between June 19, 2024 and July 1, 2024. We have determined that some of your personal health information was affected by this incident. Our IT company has already begun making improvements to our network security and will continue to do so to ensure that we are better protected against data security incidents in the future. As set out in further detail below, we have also taken steps to secure our EMR and have not seen any additional unauthorized access to our EMR since we began this investigation.

 

What Information was involved

The personal health information that may have been obtained by the third party may have included your name, contact information, personal health number, and medical information relating to your attendance at our clinic. Our clinic does not maintain any financial or credit card information for our patients in our EMR.

 

What we are doing

We have been diligently investigating this incident with assistance from outside experts. We have reported the incident to the Office of the Information and Privacy Commissioner (OIPC) and also have contacted and are cooperating with local law enforcement and RCMP. We have additionally taken a number of technical administrative steps to further enhance the security of our systems and patient data. These measures include reviewing access permissions and limiting remote access, privacy training for clinic staff, conducting a comprehensive review of the clinic’s compliance with privacy protocols and creating an office policy to ensure compliance with the recommendations set out in the BC Physician Privacy Toolkit.

 

We are fully committed to protecting your health information, and deeply regret that this incident occurred. If you have any questions or concerns regarding this incident, please do not hesitate to contact Barb, Kandace, or Carly at our clinic at 604-553-1122, Monday-Thursday from 9:30 am to 3 pm.

 

Sincerely, 

Columbia Gastroenterology Clinic


FAQs

We understand this is worrisome news, in this day and age. See below for some responses we are able to give to common questions.

Please understand that this is not our area of expertise, though we have had conversations with law enforcement and other professionals with more experience in this field.

**IMPORTANT**

It would be highly unusual for someone from our office to call asking for financial or credit card information. If someone calls you from a number you don't recognize asking for this or similar information, please call our office to confirm.

This incident affected our clinic's EMR, NOT Fraser Health or the hospital. 

What are hackers able to do with this type of information?

As mentioned in our original letter - no SIN numbers; no credit card, banking, or other financial information are kept in our EMR. This means that no one should be able to do things such as access a bank account, take out a loan, or obtain a new credit card using the EMR information. Impersonation could be attempted; identity theft would be more successful if a hacker obtains other personal/financial information from other sources. 


Is there anything I should be doing to protect myself?

In general, it's good practice to be mindful of how much personal information you make available online, on social media, and with commercial entities. Be wary of suspicious-sounding emails or other communications, particularly if someone is trying to obtain personal or financial information from you (phishing). If you don't trust what's going on, be sure to ask for more information.

  • Protect your SIN. Don’t use it as a piece of ID and never reveal it to anyone unless you are certain the person asking for it is legally entitled to that information. When an organization requests your SIN, ask if it is legally required to collect it, and if not, offer other forms of ID.

  • Pay attention to your billing cycle and ask about any missing account statements or suspicious transactions.

  • Immediately report lost or stolen credit or debit cards.

  • Carry only the ID you need.

  • Do not write down any passwords or carry them with you.

  • Protect your computer and its information by installing Internet security software products.

  • Be extremely careful when you provide personal information via email or over the Internet. Take extra care when providing information on social networking sites such as Facebook.

Add a Fraud Alert through a credit monitoring company. This can be done free of charge through TransUnion or Equifax. They are Canada’s two credit monitoring companies: they collect and compile information regarding your credit history from banks, other financial institutions, courthouses, the Office of the Superintendent of Bankruptcy and various other bodies. They do not make lending decisions but they receive information from lenders, creditors and others. Some creditors report to both bureaus but some may report to only one, which is why it is important to add a fraud alert to both bureaus. Instructions on how to do this can be found below. 

Some may want to have additional piece of mind and purchase Identity Theft and Credit Protection. 

***For more information from the Canadian government on the topic of identity theft:***

Protect Yourself Against Identity Theft - Canada.ca

How did this happen?

Unfortunately, hacks are becoming more sophisticated all the time. There were 2 antivirus software programs installed on our office computers prior to the data breach. It is not entirely clear how they gained access to the EMR. It is possible a key stroke detector program was used to obtain a login and password to the EMR. 

Can I have the RCMP and OIPC file numbers?

OIPC file number: P24-97630

New Westminster Police file number: NW24-11056

No RCMP file number exists - the New West police were in consultation with the RCMP but the RCMP did not open a case file themselves. 

Do I need to get a new PHN?

Your PHN is assigned to you for life; however, you can contact MSP to have them add a password and/or security alert to your PHN. 

MSP: 604-683-7151

Why did it take so long to inform us?

There were a number of reasons for the delay.

Reasons include (but are not limited to) requiring time to detect the breach, notify the appropriate authorities, obtain counsel, investigate the breach, collate a list of all patients affected, clean up and prepare contact information, create templates of notification letters/messages, and coordinate with various multimedia platforms to send out the notifications.

Is your office going to reimburse me for the cost of credit monitoring? Is credit monitoring necessary?

You can add a fraud alert for free, see instructions on our website.  Credit monitoring is not felt to be necessary based on the information that could have been accessible on our EMR. However depending on your possible exposures from other sources - for example, personal information made available across social media - you may want to consider it. Different people will have different risk tolerance.  

Has the perpetrator been identified or caught?

The police and RCMP were informed of the incident and have been/are working on it. At this time we do not have any further information.   

What should you do if you think you are a victim of identity theft?

You should immediately:

  • notify your financial institution and the local police;

  • contact the CRA at 1-800-959-8281;

  • report the theft to a credit reporting agency such as Equifax or TransUnion;

  • keep records of recent purchases, payments, and financial transactions; and

  • call 1-800-O-Canada (1-800-622-6232) for information on where and how to replace identity cards such as your health card, driver’s licence, or SIN if necessary.

To report a fraudulent communication, or if your identity was stolen as part of a scam, please contact the Royal Canadian Mounted Police’s Phonebusters by email at info@phonebusters.com or call 1-888-495-8501.

Setting up a Fraud Alert

TransUnion:

- Visit www.transunion.ca

- Ensure you are on the PERSONAL part of the website (located at the top of the web page)

- Click on CREDIT REPORT ASSISTANCE and then FRAUD VICTIMS RESOURCES

- Scroll down the screen until you see “There are three ways you can add a Potential Fraud Alert

to your credit file”. You can then decide which method you prefer (online, telephone or mail).

- If you choose the Online option, you will need to click on the link “Click Here” which will take

you to their online Potential Fraud Alert service.

o Once you are on the “TransUnion Online Consumer Solutions” page, you will need to

sign up for an account if you are not already a member.

o Once you have registered for an account you will receive an email to further validate

your identity and then you will be prompted through the process of adding a fraud alert.

o If you are already a member, you will sign in and proceed from there.

Equifax:

- Visit www.consumer.equifax.ca

- If you’re using a desktop computer, click on the EQUIFAX name at the top left of the screen; it

will take you to the PERSONAL part of the website

- Click on CONSUMER SERVICES and then DISPUTE INFO ON CREDIT REPORT

- If you are accessing the website from your mobile device, scroll down to the bottom of the page

until you see DISPUTE SOMETHING ON YOUR EQUIFAX CREDIT REPORT

- Click on the red button that reads START YOUR DISPUTE

- You can then choose between submitting your dispute via email or mail.

- If you choose EMAIL: fill out the requested information and click on “Alerts – fraud warning, identity alert or consumer statement”.  Submit and then follow the remaining instructions from Equifax.

- If you choose MAIL: click on “Alerts – fraud warning, identity alert or consumer statement”.  Submit and then follow the remaining instructions from Equifax.

***If you don't own a computer you can still contact TransUnion & Equifax by phone:

TransUnion: 1-800-663-9980

Equifax: 1-800-871-3250



Columbia GI 

Location