back to article Will this biz be poutine up the cash? Hackers demand dosh to not leak stolen patient records

Hackers say they will leak patient and employee records stolen from a Canadian healthcare provider unless they are paid off. The records include medical histories and contact information for tens of thousands of home-care patients in Ontario, Canada, and belong to CarePartners. The biz, which provides home medical care …

  1. SVV

    Don't bother paying the dosh

    Look, this stuff is all going online now. It's all your fault. You rushed to be modern and online and ignored the security concerns that cost money because some dimbulb got excited about open information exchange at a conference somewhere nice and rushed to implement it on the cheap because "ooh, shiny" and you now join the rapidly increasing club of fools that are learning the consequences of this stupidity the hard way.

    1. macjules
      FAIL

      Re: Don't bother paying the dosh

      1) https://www.google.com/?q=inurl:%2Findex.cfm

      2) Follow the instructions on CVE-2016-4264

      That exploit is over 2 years old, so if they didn't have an SLA in place for updates to their site then more shame upon them.

    2. Halfmad

      Re: Don't bother paying the dosh

      NHS England is running down the old sharing data with whoever they want, patient access via internet to their records, booking prescriptions and appointments online.

      Shiny you said? It's happening very close to home, let's hope they get it right eh?

    3. DavCrav

      Re: Don't bother paying the dosh

      "Look, this stuff is all going online now. It's all your fault. You rushed to be modern and online"

      The trouble is, the other direction is:

      "I'm sorry, we don't know what's wrong with you. Your medical records are currently being couriered over from Vancouver, but we are in Toronto, so let's hope it's nothing urgent."

      So there has to be some online-esque method of moving the data. For a country like Canada, a separate hardened network connecting all health centres is possible, just insanely expensive, so it'll use the Internet. So now there will be breaches. You can minimize them -- in this case, that appears not to have happened -- but you cannot eliminate them entirely.

      1. CrazyOldCatMan Silver badge

        Re: Don't bother paying the dosh

        so it'll use the Internet

        If only someone would invent a method of making point-to-point links securely between two internet endpoints! I know - they could call it 'almost private network' or something similar to that..

        And let's not forget that even the NHS managed to set up N3 which was (mostly) secure..

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't bother paying the dosh

        There is something east of Vancouver? On the other side of the Rockies? What is this Toronto you write of?

    4. CrazyOldCatMan Silver badge

      Re: Don't bother paying the dosh

      "Paying the Danegelt just results in the Vikings coming back next year to demand more".

      After all, if they were trustworthy and upright people, they wouldn't have swiped the information in the first place, would they? You going to trust criminals to stay bought?

  2. Destroy All Monsters Silver badge
    Coat

    This is probably what is called

    "phairtrade"

  3. cd

    We need to have data protection laws where any breach requires the public hanging of the C-suite and board. Then our Privacy actually will be "very important to them".

    1. Mark 85

      Not just in Canada, but every country. However, to quote an old western movie line: "Hangin' is too good for 'em."

      1. JustWondering

        Mark 85: But the overhead is low. Ropes are reusable.

  4. DanceMan
    Thumb Down

    "takes the safeguarding of personal health and financial information seriously"

    No you obviously don't, you blatant liars.

    1. Claverhouse Silver badge
      Mushroom

      Re: "takes the safeguarding of personal health and financial information seriously"

      @DanceMan

      "takes the safeguarding of personal health and financial information seriously"

      No you obviously don't, you blatant liars.

      .

      .

      This, burning like a 1000 suns.

      I was just reading about something entirely different; the theft of some nuclear bits 'n bobs in San Antonio a year ago, and the thought instantly struck me, people in charge of such stuff --- and presidents above --- inevitably blurt 'Our safe-keeping is the best in the world' and 'We go above and beyond' etc. etc..

      .

      To ensure they got the right items, the specialists from Idaho brought radiation detectors and small samples of dangerous materials to calibrate them: specifically, a plastic-covered disk of plutonium, a material that can be used to fuel nuclear weapons, and another of cesium, a highly radioactive isotope that could potentially be used in a so-called "dirty" radioactive bomb.

      But when they stopped at a Marriott hotel just off Highway 410, in a high-crime neighborhood filled with temp agencies and ranch homes, they left those sensors on the back seat of their rented Ford Expedition. When they awoke the next morning, the window had been smashed and the special valises holding these sensors and nuclear materials had vanished.

      No-one would ever trust me with implementing such logistics, but even I can see the first 3 mistakes they made just in the 2nd paragraph alone...

      .

      https://www.houstonchronicle.com/news/investigations/article/Plutonium-went-missing-in-San-Antonio-but-the-13069949.php

      1. Destroy All Monsters Silver badge

        Re: "takes the safeguarding of personal health and financial information seriously"

        We had the discussion about that headline-screaming recently: https://www.theregister.co.uk/2018/07/16/us_govt_stolen_plutonium/ - not many dead.

  5. Anonymous Coward
    Anonymous Coward

    Never ever pay ransom to skum bags ever, pieces of shit

  6. The Count
    Facepalm

    "poutine up the cash?"

    I'm convinced there is someone at El Reg whose entire job is just to come up with the worst puns ever. That person needs to be taken out behind the pub and slapped with a rolled copy of Newsweek with Trumps picture on the cover.

    1. Korev Silver badge
      Coat

      Re: "poutine up the cash?"

      But where would be the pun in that?

    2. Destroy All Monsters Silver badge

      Re: "poutine up the cash?"

      It was rewritten from yesterday, something less punny used to be there...

    3. CrazyOldCatMan Silver badge

      Re: "poutine up the cash?"

      rolled copy of Newsweek with Trumps picture on the cover

      Don't we have laws against 'cruel and unusual punishment'?

    4. Robert Helpmann??
      Pint

      Re: "poutine up the cash?"

      ...there is someone at El Reg whose entire job is just to come up with the worst puns ever. That person needs to be taken out behind the pub and slapped...

      You do whatever you want, but I'll buy them a round or two for the same reason. Maybe between us we will make that person happy.

  7. Winkypop Silver badge

    Reminds me

    Must opt-out of the Oz medical records scam scheme.

  8. James Anderson

    Why the fuss?

    Everybody over 60 talks endlessly about thier condition, medication, procedure or trumps it all with "my operation".

    Unless it's a rare Form of Ovid STD this data has already been revealed to an uninterested public who have instantly forgotten.

    1. Korev Silver badge

      Re: Why the fuss?

      Maybe if it's "media friendly" like skin or breast cancer; but not if it's something like HIV, mental health, anal cancer etc. It's very sad that it's like this.

    2. MachDiamond Silver badge

      Re: Why the fuss?

      The reason is that the insurance industry is more than happy to hoover up stolen data if they get the chance. Data is Data. It can also wind up on personal information peddlers sites that employers use to vet employees and applicants. If you've even had a health issue that might make an employer worry about your having to take time off in the future, you aren't getting hired. You could also be eased out of your existing job. We're no angels and a boss looking to log every single thing in our files to justify sacking us is not a problem.

  9. adam payne

    Data privacy watchdogs at the Office of the Information and Privacy Commissioner of Ontario said they were “assessing whether the breach could have been prevented

    If the breach wasn't preventable then they had no business using the system in the first place.

  10. EnviableOne

    Card Security Codes

    I am sure that storing CVVs is banned by PCI DSS

    the sooner they start cutting people off from payment networks for breaching it the better.

    Cos nothing hits a business now like not being able to take money

    1. MachDiamond Silver badge

      Re: Card Security Codes

      Those CVV codes have to be stored at least temporarily to process transactions. I'm sure that lots of programmers wouldn't know if there were a law against storing them long term. It's so much easier if they are stored if it's anticipated that there will be more transactions in the future.

      1. Anonymous Coward
        Anonymous Coward

        Re: Card Security Codes

        If so, the system is not PCI compliant and won't pass an audit. Banks can cut-off their ability to accept credit card payments.

  11. RobThBay

    CBS News??

    At the end of the article it says "CBS News adďed." Shouldn't it be "CBC News added."?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like