October [ 16 ], 2020
To our valued patients of the Eastgate Medical Clinic,
We are writing to share with you information regarding a data security incident that involved your personal health information. We take this incident very seriously. While we have no information to suggest that any health information was accessed or disclosed, we are providing this notification to you out of an abundance of caution and in accordance with our obligations as custodians as defined in the Health Information Act.
On September 6, 2020, the Eastgate Medical Clinic (the “Clinic”) experienced a ransomware attack, which resulted in the encryption of image files within the Clinic’s database. In response, we immediately retained an IT firm to conduct a thorough investigation into the circumstances surrounding the incident. Based upon our investigation, it appears that an unauthorized individual encrypted certain files containing personal health information, which were held in a database external to the Clinic’s electronic medical record. This database contained image files of faxed records including: patient questionnaires with personal information (e.g. names, addresses, telephone numbers, personal health numbers), radiology reports, lab/other test results and consultation letters (the “Records”). Based on the investigation by the IT firm, there is no evidence to suggest that the personal information within the Records were accessed and/or disclosed as a result of the cyber incident. The IT firm has advised that typically, ransomware simply encrypts data, in essence holding it hostage until the requested ransom is paid, at which time a decryption key is provided, allowing data to be restored to its usable form. This is what we understand to have occurred here. The Records were encrypted until the Clinic paid the ransom amount, at which time a decryption key was provided and the data was restored on September 26, 2020.
- May be accessed, disclosed or misused by third parties, although there is presently no reasonable basis to believe the information has been accessed, disclosed or misused by third parties;
- Could be used for identity theft or fraud, although there is presently no reasonable basis to believe the information has been used for identity theft or fraud; or
- Could cause embarrassment, mental harm or reputational damage to you.
To reduce these risks of harm, immediately upon learning of the incident, we took steps to investigate and contain the incident. We retained a third party IT firm to conduct a thorough investigation and as outlined above, the IT firm has advised that there is no evidence to suggest that the personal health information was accessed or disclosed during the ransomware attack. Furthermore, we have retained the IT firm to assist in implementing additional security measures, including daily monitoring of our systems. As such, we have already strengthened our system and will continue to do so on an ongoing basis.
You may ask the Information and Privacy Commissioner to investigate the loss of or unauthorized access to or disclosure of your individually identifying health information. The Information and Privacy Commissioner can be contacted at 780-422-6860 (Toll-free at 1-888-878-4044) or at generalinfo@oipc.ab.ca.
If you require further information or have questions regarding this notice, please ask to speak with our Clinic Manager, Raquel Galay, in person or by calling 780-371-1114 during our normal hours of operation from 9:00 am to 7:00 pm [NTD: confirm hours].
The confidentiality of your personal health information is one of the Clinic’s top priorities and we take our role in safeguarding your information very seriously. We sincerely apologize for any inconvenience or concern caused by this matter. Thank you for your understanding.
Sincerely,
Dr. Adel Almighairbi, Dr. Msod Triki and Dr. Hussein Entaifa