The British Columbia Institute of Technology (BCIT ) discovered a security breach during a scheduled audit conducted on a server containing the medical information of 12,680 staff, faculty and students, according to a July 5 statement.
“At this time, and to the best of our knowledge, there is no indication that any personal information has been improperly accessed or misused; however BCIT is treating the possibility of unauthorized access to personal information very seriously,” the statement said.
The university is conducting an investigation to mitigate the risk of personal information being compromised, the statement said.
When the breach was discovered, they took the server off-line immediately, removing and analyzing all hard-drives.
A third party was using the server to upload and download German films, according to Dave Pinton, Acting Director of Communications at BCIT.
The president of BCIT sent 11,000 letters to the individuals affected. The university also provided suggestions on how to respond if they suspected their personal information was compromised or used inappropriately, Pinton said, adding that no financial information was stored on the server.
The information stored on the server dates from October, 2005 to June 11, 2012 and includes the following personal information used for billing purposes:
- Name
- Date of birth
- Medical Services Plan (MSP) number
- Personal Health Number (PHN)
- Phone number
- Address
- Treatment billing codes and descriptions
“Most people understand that in the age of technology that this type of thing can happen,” Pinton said. “Larger corporations or anyone with large servers are at risk of attack all the time.”
The university is trying to be as transparent as possible of how they are dealing with the breach, and is working with the Privacy Commissioner, Pinton said.
“BCIT really regrets and apologizes for the incident and are taking steps to review the physical and technical security processes,” Pinton said.