Privacy, ransomware breach hits Lower Mainland social support group

Clients say Lookout Housing + Health Society has said nothing


A Lower Mainland community support group has been hit by a data breach, B.C.’s privacy commissioner has confirmed.

The news came as the Office of the Information and Privacy Commissioner (OIPC) released privacy impact assessment tools to mark Jan. 28’s Privacy Day.

The Lookout Housing + Health Society, which works in 14 Lower Mainland municipalities, serving 2,500 people a day and housing 1,400 per night, was hit with a ransomware attack.

Lookout provides a medical and dental clinic, food bank, needle distribution and community clean-up, HIV and Hep C supports, peer and employment programs and youth counselling programs.

No one from Lookout was made available to discuss the attack.

Clients at Lookout’s Yukon Shelter and Housing Centre facility, however, said they had not been told of the breach.

“They haven’t said anything,” client Jason Morrisey said outside the shelter. “I don’t want people snooping around in my info. That’s horse****.”

He said he has given the shelter information such as his date of birth, social insurance number, medical and prescription data and banking information as well as the background and legal issues he’s dealing with.

“They need all that when they do intake,” Morrisey said. “They pretty well know my whole life now, whoever got that info.”

An OIPC breach guidance document said affected individuals should be notified in the event of a breach. Factors to be taken into consideration should include risk or damage to reputation – especially in the case of medical or legal records – and the loss of confidence in an organization.

Further, it said, there is risk of identity theft if breached data includes information such as banking details or social insurance numbers.

The OIPC is aware of the breach but cannot reveal details at this point.

“We have opened a file and are consulting with them as they work to address the circumstances of the breach,” spokeswoman Jane Zatylny said.

The OIPC Jan. 28 released its privacy impact assessment template and related guidance for private-sector organizations collecting, using and disclosing personal information. The documents are designed to give organizations tools they need to make sure their plans comply with the law.

Commissioner Michael McEvoy said Data Privacy Day is an ideal time to share the resources, which are all about making sure people's personal information is protected in compliance with B.C.'s Personal Information Protection Act (PIPA).

"Data Privacy Day's call to action around protecting personal information and understanding threats to privacy in the digital age are more important than ever," McEvoy said. "Indeed, our office is now dealing with one of the most serious privacy breaches in the history of this province and country.

That breach is the Nov. 1 cyberattack against Canada’s largest medical laboratory diagnostic testing services company.

LifeLabs’ reporting of the attack spurred an investigation by the privacy commissioners of B.C. and Ontario.

The affected systems contained information of approximately 15 million LifeLabs customers, including name, address, email, customer logins and passwords, health card numbers and lab tests, the commissioners said

"In this environment, it's important for organizations to build privacy considerations into the design of every initiative in which people's personal information is collected, used or disclosed,” McEvoy said. “My office's privacy impact assessment template and guidance document offer a straightforward, step-by-step means of taking a comprehensive look at all aspects of how personal information flows through an organization and ensuring that it complies with PIPA at every step.”

The privacy impact assessment template is an 11-page, editable document that covers all aspects of a privacy risk assessment for an initiative that is either planned or being substantially revised. The template offers examples and tips on all stages of developing a privacy impact assessment.