Privacy commissioner investigating security of patient health records at Alberta Health Services

Alberta’s privacy commissioner is investigating whether Alberta Health Services properly safeguards the public’s personal health information after a 2018 audit revealed lax cybersecurity practices.

Assessment by external security firm found several major security risks

Alberta privacy commissioner Jill Clayton has launched an investigation into how Alberta Health Services safeguards patient information. (Sam Martin/CBC)

Alberta's privacy commissioner is investigating whether Alberta Health Services properly safeguards the public's personal health information after CBC News revealed the electronic system housing it was vulnerable to outside security threats.

A 2018 assessment by an external security firm found several "significant risks" with the health authority's administration of the Alberta Netcare Portal. The system gives health-care providers access to key information from a patient's medical file, such as laboratory test results and hospital visits.

A spokesperson confirmed commissioner Jill Clayton launched her investigation on Aug. 8, one week after CBC News reported on a leaked AHS summary detailing the firm's findings.

"The investigation is examining safeguards of patient health records at AHS," Scott Sibbald said Thursday. He declined to provide any further details because the investigation, conducted under the Health Information Act, is ongoing.

In its May 2018 summary, AHS said Procyon Security Group found 108 security risks in the Alberta Netcare Portal and its associated infrastructure: 11 critical, 34 high, and 63 medium.

"While it is difficult to quantify the risk, we might be considered to be in breach of the Health Information Act and the duties it outlines relative to our role in protecting health information," the AHS summary stated.

The Health Information Act states that a custodian of private health information has a duty to protect against any reasonably anticipated threat to the security or loss of that information.

On July 31, AHS told CBC News there was no breach of the Health Information Act and no breaches of the Alberta Netcare Portal by outside sources.

The health authority said it had already acted on most of the issues identified in the vulnerability assessment and it insisted patient information remained secure.

'Highly insecure' database access

Of particular concern to Procyon was the Alberta Netcare Portal's "highly insecure" database access.

The security firm discovered AHS last applied security updates to its system in July 2014 — three and a half years before the company conducted its review — and the health authority did not securely store users' passwords.

The portal protects users' passwords through a common method called hashing, a process that replaces an entered password with a unique string of different numbers and letters.

Password "hashes" are then stored and compared against a user's actual password each time it is entered.

But Procyon was able to obtain the password hashes of database users and crack nearly 40 per cent of their actual passwords.

From there, the firm would have been able to "exfiltrate all data in the database," including the password hashes of Alberta Netcare Portal users, the AHS summary said, and to also access "personally identifiable medical records."

As a condition of its operating agreement with Alberta Health, AHS must conduct vulnerability assessments every two years and meet certain service-level targets.

Procyon's review concluded the health authority is "in breach" of its targets.

In a statement to CBC News last year, AHS said it takes the proper steps to secure patient information.

"We are constantly reviewing all of our IT systems, so as to protect them from ongoing and ever-changing security risks, in turn protecting the information of our patients," AHS said.

"To not do this would be irresponsible, and would put our systems at risk of breach."

If you have any information about this story, or information for another story, please contact us in confidence at cbcinvestigates@cbc.ca



To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.