My Reaction – Laptop Stolen – 620K Patient Records Compromised


Last week a story was reported in the news about a stolen laptop. The laptop contained patient information for more than 620,000 Albertans. This is my response to the situation. It’s far less ranty than what was in my head before I started typing.

Last night I wrote a letter to the Alberta Privacy Commissioner (Jill Clayton), the Alberta Minister for Health (Fred Horne), and Medicentres (hope it gets to Dr. Arif Bhimji). I would have included the consultant, but he/she was simply identified as “IT Consultant”. I did copy the letter to CTV News (where I first read the story) and the Edmonton Journal.

The following links are to the stories on the CTV News site.

I’ll update this post if I hear anything from anyone involved.

http://edmonton.ctvnews.ca/laptop-containing-health-information-for-thousands-stolen-province-seeking-investigation-1.1651500

http://edmonton.ctvnews.ca/privacy-commissioner-frustrated-after-laptop-with-personal-information-stolen-1.1653696

This is a bonus story – http://edmonton.ctvnews.ca/patient-information-stolen-from-covenant-health-1.1656104#commentsForm-478263

Note to Medicentres – Please direct this to Dr. Arif Bhimji

I’m writing to you in regard to the theft of a laptop containing health information of approximately 620,000 Albertans.

My name is Chris Walker. I’m an Albertan whose health information may have been compromised by the above mentioned theft (I visited the St. Albert Medicentre in 2011 or 2012). I am also a consultant who specializes in Information Management and Governance.

First of all, I don’t understand why a consultant would be allowed to store personal information on his/her laptop and then leave the building with it. I’ve been a consultant for more than 25 years and have never had the need to store personal or sensitive information on a non-client controlled device, and I have never removed such information from client premises. During my career I’ve dealt with information from banks, pharmaceutical companies, provincial ministries, federal governments, municipal governments, etc. During many of those engagements I’ve had occasion to deal with extremely sensitive information. In all cases the information was stored and secured on client servers, or it was masked / redacted / sanitized before I even saw it. In the rare cases where I needed to access real information, it was always by using client hardware.

To the Consultant – I’d love to know what you were working on that you thought you needed to store live patient data on your laptop. I’d also love to know whether you were at Medicentre as an independent contractor or you were working on behalf of one of the System Integration firms. In either case, I’d love to know who you are so that, in case our paths cross, I can either educate you on how to properly handle sensitive information or make sure you’re never involved on any project that I am associated with.

To Dr. Bhimji – You need to go through those records and inform every one of the affected Albertans. Don’t put the onus on us to find out if we’ve been compromised. Be responsible and do the right thing. The fact is, as soon as you were aware of the theft you should have started identifying affected individuals and begun informing them of the situation. As it is, enough time has passed that damage may already have been done.

The complete lack of mention about the breach on your (Medicentres) website does not provide me with the sense that Medicentres is giving this matter the due it requires. That’s just my opinion as an Albertan, one of your patients, and as someone that makes a living by advising organizations about the proper management and handling of information.

That you’ve made some policy adjustments is great, however, how is that going to help any of us if our information’s been compromised? You really ought to have done something ages ago. For what it’s worth, you may also want to consider not giving access to live data to anyone that doesn’t absolutely need it to do their job. If you need some help sorting this out let me know; I’d be happy to help.

To Minister Horne – I agree that changes to legislation need to happen. I don’t think that you need to wait until the Privacy Commissioner releases her report to get started. To be frank, many changes to operating policies and procedures for managing information can be made without changing legislation at all; think of them as preventative measures.

Enacting new legislation for dealing with breaches is necessary since we’ll never have 100% security as far as sensitive information is concerned, but we also need to focus on preventing security breaches in the first place. Effective controls are far more cost effective than trying to clean up the potential messes that would occur once a breach happened.

To Commissioner Clayton – I don’t envy your position. I trust that you wanted to do the right thing, but were hampered by legislation. I hope that your investigation into this matter is fast-tracked. I encourage you to make the results of the investigation public; we have a right to know.

To All of You – I strongly suggest that you get involved with professional organizations such as AIIM (Global Community of Information Professionals) and ARMA (Association of Records Managers and Administrators). Both of these organizations are focused on managing, governing, and securing information. There are also organizations that deal specifically with information security and privacy. With the resources available to us today and with what we know about managing information, there’s just no excuse for what happened.

As someone whose information may have been compromised, I am angry. As someone who consults on Information Management and Governance, I’m incredulous that this happened considering how easy it is to prevent this type of thing. While the theft was a criminal, deliberate act, the presence of patient information on the stolen laptop was nothing more than negligence.

Sincerely,

Chris Walker

Update January 29, 2014 …

Much to my surprise, I did hear from Dr. Bhimji of Medicentres. Below is an excerpt from the email he sent last night. I’m happy to note that there is now mention of the privacy breach on Medicentres home page.

I can advise that we reported the breach to the Privacy Commissioner and have worked closely with them.  The Commissioner approved the form and wording of the notification.  

 The website is updated regularly and the information is found under the patient tab and has been present there since the announcement.  I have asked the operations people to consider putting some information on the main landing page.

 Patients have been advised about what measures they can take to determine if there have been any intrusions on their privacy.  This information is available on our website and also by calling our call centre if you wish more detailed information.

 

Update January 31, 2014

Heard from the Privacy Commissioner’s office that she will be making the results of the investigation and review public. – I’m very happy about this.

Heard from Medicentres’ folks that if you visited one of their clinics during the time period stated, you details are on the laptop that was stolen. We (the Medicentres person and I) both speculated that the theft was for the laptop, not the data, but we could be wrong.

Block Porn? Don’t Bother


After reading about Conservative MP Joy Smith’s pornography filter idea on the CTV News site, I decided to respond to her and David Cameron (he’s the British PM, you know). You can read about Smith’s plan here. You should also watch the video and read the comments; very entertaining.

Dear Joy and David

I think it’s great that you’re trying to protect the children, but back off, will you? It’s not your job; it’s my job as a parent.

I don’t have any problem with using legislation to keep illegal content off of the internet. I do, however, have a huge issue with government trying to keep objectionable content off the internet. You see, only I can determine for myself and my children what is objectionable. You can’t, my neighbours can’t, my community can’t, … only I can make that determination. You are heading into territory that smacks of censorship. You are advocating that government make moral decisions for citizens. You have no mandate nor right to do this.

Personally, I have no objection to pornography, as long as it depicts one or more consenting adults. I do object to any content that depicts or promotes racism, intolerance, Brussels sprouts, animal abuse, child abuse, elder abuse,  Michael Jackson, Justin Bieber, spousal abuse, honour killings, violence against women, anti-gay sentiment, anti-pro-choice sentiment, … there’s a long list of things that I find objectionable. However, as long as it’s not illegal, leave it out there and let those of us with a couple of functioning brain cells decide for ourselves whether or not to check it out.

You mention that you’re proposing this to protect the children from pornography (among other things). Are you really certain that it will work? One of the issues is that parents aren’t actively filtering what their children can see when connected to the internet. What makes you think that applying a filter, which can be turned off, will change this? If Mummy or Daddy want to see naughty-naughty on the computer, they will turn the filter off and chances are that any kids using the computer will be able to view naughty-naughty because Mummy and Daddy haven’t set up the appropriate controls at the DEVICE and USER levels.

If Mummy and Daddy were smart or pro-active enough to set up the controls in the first place, the filter you propose would not be necessary. If they’re not smart or pro-active enough, the filter you propose won’t be effective because they’ll turn it off to view naughty-naughty and never control things at the user and device level.

Parents need to be more actively involved in what their children are doing online and offline. I have three children, two of whom are old enough to be computer users. I have taken the time to set up parental controls for each of them, and to monitor what they are doing online. This doesn’t mean that nothing gets by what I’ve put in place; it means that I am aware of anything getting by and I can adjust settings when I have to. It means that I actually talk to my children about their online activity. It means that I educate myself and my children about spending time online. It means that if my children come across something that disturbs or confuses them, whether or not it’s sexual, we discuss it as a family. It means that my wife and I take the time to have frank, age appropriate discussions about love and sexuality with our children. It also means that my children have more to their lives than just the internet.

Active, informed parental involvement, coupled with managing internet security settings (it’s not that hard and there are plenty of free resources and tools) will do far more to protect children from seeing porn on the internet than instituting a nanny state filter could ever hope to.

Joy and David, thanks for trying, but spend taxpayer money where it makes more sense. Education, healthcare, anti-poverty measures … these and many more initiatives can use all the money they can get. I’m fully supportive of doing whatever can be done to rid the internet of illegal content and bringing the purveyors to justice; but when it comes to censoring content that is legal, stay out of my house and off my internet.

Cheers!

Chris Walker

Involved Parent & Internet User

A List – 10 Anti Predictions for 2013


Here’s a slideshare version of this post … http://www.slideshare.net/ChrisWalker7/a-list-10-anti-predictions-for-2013

  1. We’ll stop talking about social as if it’s something new.
  2. Everyone will understand the cloud.
  3. No one will buy anyone.
  4. Social networks’ terms of service will be transparent, easy to understand, and favour the user.
  5. People will stop caring about the Kardashians, Honey Boo Boo, and the Royals.
  6. RIM will be sold off in pieces, like black market organs.
  7. No one will dust off an idea from 20+ years ago, give it a new acronym, and call it new / the next big thing.
  8. Procurement departments will focus on value instead of cost.
  9. No one will sue anyone.
  10. BYOD

Pen & Notebook

Gamification – Dumbest made-up word ever?


WARNING: This post contains swear words. They’re there ‘cause of my mood when I wrote this in reaction to a gamification discussion. I’m all better now, thanks. 

This was originally posted on AIIM

Of all the buzzwords & acronyms being bandied about out there, “gamification” pisses me off above all others (maybe it deserves a shiny badge). I cringe whenever I hear it or read it. It cheapens what I and others have worked our asses off to achieve in our careers. It reminds me of the fat kid in grade 6 that got a ribbon because he managed an astonishing 7 situps in 1 minute (for the record, it wasn’t me). As a professional, equating my work with games, however obliquely, insults me. Games are what I play with my friends and family.

I was raised to work hard, though I didn’t always do so as a student. At school you worked to get the grades and not spend more than one year per grade. If you were the smartest kid in school you may have gotten an exemption from finals, a scholarship, or beat up.  Professionally, you worked hard (and smart, I hope) to get your stuff done and get ahead. If you didn’t get your stuff done you were rewarded with time off ‘cause they fired your ass for being deadwood, and you deserved it. Rewarding / recognizing people for doing just enough to get from grade 3 to 4 or to keep their jobs (reward enough, I say) is sheer lunacy.

My kids don’t get rewarded for just doing stuff that’s expected of them (e.g.: cleaning their rooms, picking up after pets, doing well in school). They get rewarded for exceptional behaviour & performance; the rest is just life. I don’t get rewarded for just showing up and doing my job in an ordinary, expected way. I get rewarded when I perform above expectations. If I or my kids don’t meet expectations in our respective roles bad things happen. Such is life.

The key, my fellow planetarians, is to set the expectations early and define what one need do to earn the rewards / recognition. Apparently, doing the dishes does not automatically entitle me to “get some”, but if I don’t do them it’s automatic that I won’t? WTF is that about? Anyways …

I have no objection to reward & recognition schemes. In fact, I’ve received and doled out plenty of recognition (the positive kind) over the years. Rewards / recognition have been tangible (e.g.: bonus $, raise, promotion, time off, gift cards) and intangible (peer/client/manager figurative pats on the back). Most people, me included, are happy to receive them. But we’ve generally received them because we’ve performed exceptionally or taken on additional responsibilities. I can’t recall one instance in my career where I’ve given or received a reward for simply doing my job. It’s just not something that makes any sense to me.

Like I said, rewarding / recognizing people for exceptional performance or taking on additional responsibilities is fine. In fact, it’s a freakin’ critical thing to do because it helps to motivate people and keep them interested in their work. It can also help motivate the unexceptional to become exceptional. I truly believe that it’s a necessary thing to do and that it benefits all involved.

One of the areas that [the word I hate] is being linked to is social collaboration (which also sucks ass as a term because how the hell are you gonna collaborate if you’re not being social), especially as related to identifying experts. It works like this:

  1. Say something not completely stupid.
  2. Someone, who may or may not be stupid, rates your stuff (or gives you a badge or a cookie or a pin, who cares?).
  3. Someone else sees the rating, and being equally as stupid, or not, bugs your ass for your opinion or for help.

Uh, WTF? I do good work and get “rewarded” by more people bugging me? What kind of psycho place is this?

Identifying experts is good. It helps those seeking advice by providing resources to tap. It helps those providing advice by making them think a bit more and pushing them to be better (and the ego stroking likely doesn’t hurt). But calling it [the word I hate] does everyone a disservice. Experts have worked extremely hard to get where they are, and many truly enjoy what they do and helping others. The folks looking for advice are likely stuck on something that may or may not be hugely important. I’m not certain that anyone involved wants their situation or efforts equated to playing games.

When I write a post I don’t write it to garner likes, +1’s, follower, or increase my Klout score (Klout is Krap, IMO). I write because I have something to say that I think and hope will benefit someone, or at least make them think. If someone provides positive feedback I appreciate it. If someone provides negative feedback I appreciate that too and try to be better the next time (unless they’re just being a dick). If someone reaches out and asks for advice, an opinion, or help, I provide it gladly with no expectation of getting a badge or biscuit. I do it because I am social just like every one of you reading this. Sometimes I write because I get pissed off and need to get something off my chest. On those occasions feel free to ignore me, just like my wife and kids do when I go all bat-shit crazy over something.

As a consumer, I love [the word I hate], but prefer to call it loyalty rewards or some such. I like going out and spending money on stuff, getting points, and using the points to get more stuff for FREEEEEE!!! I also like discounts, upgrades, and complimentary in-flight hookers (not available on domestic flights). But when it comes to me spending money that I’ve worked hard to earn, don’t equate it to playing games.

I’ll give [the word I hate] a little slack on social media & social networks. Earning “stuff” on Facebook (was thoroughly disillusioned to learn that “poking” wasn’t nearly as exciting as I’d imagined) games, Foursquare, Klout, …, doesn’t bug me, mainly because I don’t take them all that seriously (like I do my work & my family).

[Added 2012-06-20 …

On the corporate side, there’s a few areas where I think [the word I hate] is apt:

  1. Projects requiring participation of people that have “real” jobs;
  2. Organizational change management;
  3. User adoption.

When you pull staff onto a project they’re still typically expected to do their day jobs. They’re also generally not used to working on projects; there’s a huge change in dynamics from doing an operational role (e.g.: claims processing) to being the subject matter expert in JAD (Joint Application Design) sessions for a new claims system. Doing something as seemingly insignificant as awarding a prize for the best project name can reap huge dividends.

Organizational change management and user adoption are other areas where it pays to “play”. Adapting to new tools and methods is not easy for most people. Even if people hate the tools and methods they’ve been using, they’re used to them and some really are resistant to change. Providing people with goals, tools to reach them, and incentives for reaching them is a good thing. [The word I hate] won’t make the transition any easier, but it ought to serve to get the participants more involved and also provide them with a way to measure their progress.

…]

Give me a raise or a bonus, give me a pat on the back, ask me for my “expert” opinion / advice; I’m cool with all those things if I’ve earned them. Just don’t equate what I do professionally to playing games. Maybe I’m just a grumpy old bastard. If so, I’m perfectly fine with that. It’s not the application of game theory I hate; it’s the label we’ve given it. When applied to so many aspects of our lives I find it diminishes us, our efforts, and our accomplishments.

Note: none of this applies to people who actually play games for a living. E.g.: Bowling, darts, pool. I don’t care what channel they’re televised on, they are not sports.

Social: Bugger All New to See Here


In the context of business, social content does not exist. Social describes the nature of the forums in which the content is generated; social does not describe the actual content. To be honest I don’t even like using the word “social” to describe the forums in which the content is generated. This “new social business” thing is really nothing more than an extension of the Business-to-Consumer (B2C) and Business-to-Business (B2B) models.

Business has been taking place socially since time began. Get over it; we aren’t doing anything that hasn’t been done before. What we’re doing is using new tools to do it faster, capture more stuff, and do it better (we hope). We’re also creating a whacking great amount of new buzzwords and revenue opportunities for vendors, SI’s, analysts, and fly-by-nighters based on not much more than new and improved products without the new and the improved part is suspect in some cases.

Truly social content is that stuff we see on Twitter, Facebook, and a host of other channels (that are shared with business activities) about how much you drank, what you had for dinner, who’s doing bouncy-bouncy with whom, etc. It’s not that the content isn’t valuable to some (nice take on it here by Cheryl McKinnon), it’s just not business related content so from a business point of view we really don’t care (and do not confuse business value with historical or archival value).

Bduhon asked this yesterday: “The phrase “social content;” is there any there there or is it a BS concept-content is content is content?” Wanna take a shot at what my opinion is?

%d bloggers like this: