P2018-ND-097

On February 13, 2018, a client contacted the Organization to report that she had searched her mobile phone number in Google and discovered that her and her child?s appointment information with the Organization, including her name, her child?s name, her phone number and information she had provided during the call to book the appointment, were published on Google. The Organization?s IT department immediately investigated and rectified the issue. At the time of the breach, the Organization did not have any security arrangements in place. The scheduler was unsecure and was not password protected because it was programmed for internal use only. The scheduler was used by the Organization at all of its locations across Canada. The Organization does not know, and is unable to determine, how long an individual?s personal information in its scheduler was exposed on the internet. As the scheduler contained a field for the Organization to add information provided to it by the individual, and at least in the case that was reported to the Organization, the notes field contained the name of a child, the Organization cannot say with certainty that the names of other children, or other personal information, was not contained in the notes field and exposed through the availability of the scheduler on the internet. The Organization advised that it has no way of knowing whether anyone?s information in the scheduler was accessed on the internet by a third party; however, no other complaints were made about this to the Organization.

File Type: pdf
File Size: 344 KB
Categories: 2018