Cyber expert feels data needs better protection after PharmaNet breach

VICTORIA (NEWS 1130) – When you go to the doctor, you expect your private information to remain private.

Letters are now going out to thousands of British Columbians who have had personal data compromised in a breach of BC’s PharmaNet system.

The Ministry of Health has launched an investigation into what it calls “unusual” activity on the system that links pharmacies across the province to a central data system, tracking every prescription that is filled.

The ministry states an “unknown/unauthorized person obtained and used a physician’s login to access PharmaNet” four times, gaining access to names, dates of birth, personal health numbers and — in 80 cases — recent medication history.

“We know how the accounts were compromised and it’s not the underlying system,” says Dominic Vogel, chief security strategist with Cyber.SC in Vancouver.

“It could be that a physician computer was compromised, whether at an office or at home, and the credentials were harvested that way.”

Vogel believes the investigation of the breach will likely lead to recommendations the province beef up authentication procedures for accessing data systems.

“It needs to be above and beyond the typical username and password. Those types of authentications shouldn’t fly in government systems nowadays,” he tells NEWS 1130, adding that better monitoring and detection of breaches are also needed.

Vogel believes determined hackers will always find a way to access private data, but it is important that governments and businesses learn from it.

“Unfortunately these types of incidents will happen. What would be bad is if they keep happening and the government’s systems don’t get updated with proper security and privacy controls and the same type of hack keeps happening.”

Vogel says putting those controls in place is relatively simple, but too many businesses and organizations rely on basic authentication through usernames and passwords.

“It was good 20 years ago but it just isn’t proper in this day and age. Focusing on more robust authentication controls and implementing better monitoring are really important for reducing the likelihood of this type of event happening again.”

The Health Ministry says it found out about the PharmaNet breach last fall.

The investigation is ongoing with notification letters now being sent out to everyone affected, warning about the risk of identity theft.