Cyberbreach - Sometimes It's an Inside Job

Earlier this week, the Globe & Mail reported that four individuals, who were charged in connection with the theft and sale of maternity patient records from Rouge Valley Health System hospitals, pleaded guilty.  The stolen records were used to solicit sales of RESPs to new mothers.

This case is interesting from a cyber-security viewpoint for several reasons. First of all, it highlights the fact that a cyber breach can often be an “inside job.”  The Globe reported that the patient names actually came from a former Rouge Valley Health System nurse as well as a file clerk. Secondly, it demonstrates that data breaches can have a variety of serious consequences, even if the individuals whose information have been compromised may not have suffered much in the way of actual financial damages.

These data breaches resulted in a class action lawsuit that was filed against the Rouge Valley Health System.  In addition, the file clerk was charged and pleaded guilty to charges of unregistered trading under the Securities Act, the nurse pleaded guilty to two counts of receiving secret commissions under the Criminal Code, one of the RESP sales persons pleaded guilty to one count of using a forged document and two other RESP sales people pleaded guilty to charges under the Securities Act of participating in “improper referral arrangements”.

While it might appear unusual that a hospital file clerk would be charged under the Securities Act, liability for unregistered trading extends to individuals who perform “any act or conduct done in furtherance of a securities trade” (i.e., the sale of the RESPs). In this case, the file clerk was not registered in accordance with the Ontario Securities Act, and in providing to RESP salespeople the names of new mothers who had given birth in the hospital, she acted in furtherance of a securities trade contrary to Section 25(1) of the Securities Act

With respect to the nurse, she pleaded guilty to obtaining “secret commissions” in violation of section 426(1)(a) of the Canadian Criminal Code. Under Section 426, “agents” (which includes employees) are prohibited from “corruptly” (without disclosure) receiving any reward, advantage or benefit of any kind as consideration for doing an act performed on behalf of their principal (the employer).  In this case, the sale of maternity patient information during her employment as a nurse was both hidden from her employer and she was acting beyond the scope of her employment.

The initial incident involving the file clerk also led to an investigation under the Personal Health Information Protection Act, 2004 by the Information and Privacy Commissioner of Ontario (IPC) and that investigation resulted in order HO-013 issued December 16, 2014.

While these data breaches, in reality, may have resulted in little more than annoyance suffered by the new mothers who were solicited to purchase RESPs, it demonstrates that even a breach without apparent financial harm can have serious consequences; this case had ramifications for the affected hospital in the form of IPC proceedings and class action litigation, and for the perpetrators in the form of Criminal Code and Securities Act violations.

The lesson in all of this is that protecting privacy is a serious business and organizations need to continually train their employees in respecting the confidentiality and security of personal information.  As well, organizations need to train their staff on the proper methods of collecting personal information and to make reasonable enquiries as to the source of any “leads” or lists of personal information.