Medical institution fined 500K dollars for data leak

Canada. Durham Region Health, an organization that provides medical services to the local population, must pay a fine of $500,000, 3 years after a data leak occurred.

In December 2009 a female employee of Durham Region Health lost an unencrypted flash-drive containing patients’ personal data. The flash drive contained information that was highly confidential: surnames, first names, addresses, birthdays, telephone numbers and medical card numbers, and also some medical data. As a result of the loss, 83,524 patients had their data compromised by the organization.

The victims filed a lawsuit against Durham Region Health claiming damages of $40 million. But the court threw out the lawsuit, since the accusations of negligence, abuse of position, breach of personal inviolability and breach of human rights could not be proved.

The court imposed fines on the company, and also ordered it to cooperate with the victims of the leak to the fullest possible extent, so as to minimize the possible consequences. For each lost item of personal data, Durham Region Health will have to pay $5.99. In total, the fine amounts to $500,000.

Nikolai Fedotov, chief analyst at InfoWatch: «It turned out that the plaintiffs could not prove, or argue beyond reasonable doubt, that the lost personal data had been used by criminals. As a rule, when fraudsters use personal data we begin to see traces of this several weeks after the information was compromised. In the UK, ‘identity theft’ (i.e. fraud based on the misuse of personal data) is quite a common crime.

With such a large number of records, and given the time-frame involved, we can be pretty sure that the lost flash drive did not fall into the hands of criminals. However, a fine has nevertheless been imposed on the organization in question.