In July 2009, Alberta Health Services (AHS) announced that a computer virus had compromised health information from its Edmonton-area network. The virus, a new variant of a Trojan horse program called “Coreflood,” may have exposed health information of up to 11,582 people from Alberta Netcare, the provincial electronic health record system. The virus was designed to steal information displayed on infected computers and send the data to an unknown party.
While some areas for improvement were noted, the investigator determined that Alberta Health Services had reasonable measures in place to protect against viruses. In fact, AHS discovered Coreflood after its anti-virus system failed to do so. AHS removed the virus, performed a forensic investigation, notified those affected by mail and is enhancing security controls to prevent similar incidents. The investigation concluded that AHS did not contravene the Health Information Act (HIA).
AHS identified 11,582 people whose health information had been accessed by staff from infected computers during the period the virus was active. Because the virus captured data and transmitted it only periodically, it is not known whether all of these people would have had their information exposed. However, AHS took a cautious approach and notified everyone who was potentially affected.
Information and Privacy Commissioner Frank Work commented, “Even when reasonable security measures are in place, things can still go wrong. I am pleased that AHS used this incident as an opportunity to improve its response processes. AHS acted responsibly by sending written notice to everyone whose information may have been compromised.”