Denmark’s Unencrypted Health Information Breach
News and information from the Advent IM team.
News and information from the Advent IM team.
Advent IM Security Consultant, Del Brazil
It has been reported recently that health information pertaining to Denmark’s entire population, numbered at approximately 15 million, has been compromised in that unencrypted CDs were received by an unintended/unauthorised recipient. Datatilsynet, Denmark’s Data Protection authority reported that the breach occurred in 2015 and was linked to 2 unencrypted CDs destined for Denmark’s statistics bureau but due to mishandling by the postal service actually ended up at the Chinese Visa Application centre in Copenhagen. The CDs were received sealed by the Application centre but were inadvertently opened by the centre staff. Once the mistake and contents of the package was identified the complete package including the CDs was delivered to Statistics Denmark.
The originator of the information, Statens Serum Institut (SSI) which operates under Denmark’s Ministry of Health has stated that there was no reason as to why the CDs hadn’t been suitably encrypted and that personal data had been compromised resulting in potential consequences for people affected. The nature of the consequences has not yet been estimated nor further commented on by either SSI or the Ministry of Health.
There are a number of serious questions that need to be addressed as a result of this breach but primarily the main two are as follows:-
1. Why or how were the CDs permitted to leave SSI without any encryption?
2. Why has it taken so long for the breach/incident to be reported/publicised?
Let us first address the first question, why or how were the CDs permitted to leave SSI without any encryption? There is the possibility that the relevant IAO/SIRO may not have sufficient knowledge or experience in dealing with personal data. This is highly unlikely as in the event that they are unfamiliar with the rules and regulations with regards to protecting personal data they should have either sought additional advice or direction. A second possibility is that the current risk appetite within SSI and/or the Ministry of Health that would permit the transfer of personal data without sufficient encryption. A third possibility is that time constraints were placed upon SSI and as such a breakdown/skip in a potential formalised process resulted in no encryption being applied to the CDs. Another consideration is that the receiving organisation is unable due to technical constraints are unable to receive the data in an encrypted format; although highly unlikely as there are various products on the market that facilitate a decryption method to be embedded within the encryption process. An alternative theory maybe that it is just not a requirement of the Ministry of Health again this is highly unlikely but cannot be ruled out. Another potential reason is that the users were unfamiliar of the encryption process resulting in an attitude of ‘don’t know so won’t do it’ which may have been ongoing for years within the organisation.
The second question is relatively easily addressed but the actual rationale is yet to be established but there are still a number of potential reasons that should be considered. The first reason maybe to allow SSI and/or the Ministry of Health to contact all those persons involved to advise them of the occurrence rather than them reading it in the press. A second possible reason maybe to facilitate a full and comprehensive investigation to ensure that all the relevant information is collated to answer any potential questions posed by the press. The third potential reason maybe related to damage limitation as by delaying the publication maybe a way of potentially downplaying or watering down the severity of the breach. Personal and/or press agents may not be overly interested in old news especially if there is a higher priority news report that maybe considered juicier by the respective editors.
There are certain lessons to be learned that are potentially applicable to all readers of this blog. Whether be that users need to be reminded of the requirement and procedures to be followed or whether it’s for senior management to additional steps to ensure that policies are adhered to.
Questions that should also be contemplated include but not limited to, what postal tracking system is in place and were the procedures followed correctly? What would SSI have done if the Applications Bureau hadn’t delivered the CDs, would they have reported the incident at all? What actions, if any, has the postal service taken to avoid re-occurrence? Has there been any formal action taken against an individual or organisation. Hopefully given time these and other questions will be answered.