Dissent Doe :cupofcoffee:<p>With great thanks to <span class="h-card" translate="no"><a href="https://infosec.exchange/@masek" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>masek</span></a></span> and <span class="h-card" translate="no"><a href="https://infosec.exchange/@JayeLTee" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>JayeLTee</span></a></span> and others who assisted or tried to, including Rogers ISP and law enforcement in Canada, we can finally say:</p><p>Bolton Walk-In Clinic patient data leak locked down! </p><p>Read about this very frustrating effort to get exposed patient data locked down:</p><p><a href="https://databreaches.net/2025/06/30/bolton-walk-in-clinic-patient-data-leak-locked-down-finally/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">databreaches.net/2025/06/30/bo</span><span class="invisible">lton-walk-in-clinic-patient-data-leak-locked-down-finally/</span></a></p><p><a href="https://infosec.exchange/tags/healthsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>healthsec</span></a> <a href="https://infosec.exchange/tags/PHIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHIPA</span></a> <a href="https://infosec.exchange/tags/HIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HIPA</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/incidentresponse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>incidentresponse</span></a> <a href="https://infosec.exchange/tags/dataleak" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dataleak</span></a></p>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
211active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#phipa
0 posts · 0 participants · 0 posts today
Dissent Doe :cupofcoffee:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@masek" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>masek</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@JayeLTee" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>JayeLTee</span></a></span> For the life of me, I cannot understand why this got kicked over to the anti-rackets branch, but thank you for what you managed to accomplish. </p><p>I will post an update to this leak on my blog sometime this week, but in the interim:</p><p>Any patients of the Bolton Walk-In Clinic should consider filing a complaint with the provincial Privacy Commission and requesting an investigation into the clinic's failure to comply with medical privacy laws such as PHIPA. IMO, the IPC should also be asked to require the clinic to notify every patient whose unencrypted information was exposed. </p><p>Additional details about earlier efforts by <span class="h-card" translate="no"><a href="https://infosec.exchange/@JayeLTee" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>JayeLTee</span></a></span> and I to get this leak secured can be found in my post at <a href="https://databreaches.net/2024/12/03/bolton-walk-in-clinic-in-ontario-lock-down-your-backup-already/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">databreaches.net/2024/12/03/bo</span><span class="invisible">lton-walk-in-clinic-in-ontario-lock-down-your-backup-already/</span></a></p><p><a href="https://infosec.exchange/tags/dataleak" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dataleak</span></a> <a href="https://infosec.exchange/tags/incidentresponse" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>incidentresponse</span></a> <a href="https://infosec.exchange/tags/PHIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHIPA</span></a> <a href="https://infosec.exchange/tags/Ontario" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ontario</span></a> <a href="https://infosec.exchange/tags/healthsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>healthsec</span></a></p>
Dissent Doe :cupofcoffee:<p>The Information and Privacy Commissioner of Ontario has completed a review into Daixin Team's massive cyberattack on five regional hospitals in 2023 and found hospital officials acted “adequately.”</p><p>Perhaps the most notable aspect of the report (from my perspective) was that the IPC said the hospitals were obligated to notify patients whose data had been encrypted (and not just those whose data had been exfiltrated). They saw no point in requiring that now, but wanted it noted that it should have happened.</p><p>So that seems to be making PHIPA's interpretation clearer for future victims of encryption incidents. </p><p>The full report makes an interesting read. </p><p>PHIPA Decision 284:<br><a href="https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/521986/index.do" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">decisions.ipc.on.ca/ipc-cipvp/</span><span class="invisible">phipa/en/item/521986/index.do</span></a></p><p><a href="https://infosec.exchange/tags/PHIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHIPA</span></a> <a href="https://infosec.exchange/tags/notification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>notification</span></a> <a href="https://infosec.exchange/tags/incidentmanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>incidentmanagement</span></a> <a href="https://infosec.exchange/tags/databreach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>databreach</span></a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ransomware</span></a></p>
Dissent Doe :cupofcoffee:<p>Unbelievable. Or maybe too believable...</p><p>I previously posted about Bolton Walk-in Clinic in Ontario not locking down their patient data despite multiple responsible disclosure alerts (<a href="https://infosec.exchange/@PogoWasRight/113589181607493357" translate="no" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@PogoWasRight</span><span class="invisible">/113589181607493357</span></a>). Then I reported that Canada's cybersecurity agency contacted me and offered to help (<a href="https://infosec.exchange/@PogoWasRight/113589757905504474" translate="no" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@PogoWasRight</span><span class="invisible">/113589757905504474</span></a>).</p><p>Well, they tried... but got no results either. Bolton Walk-In Clinic is <em>still</em> exposing patient data and didn't even do anything when contacted by Canadian federal police. </p><p>If any Canadian news outlet would like to report on this, get in touch. <span class="h-card" translate="no"><a href="https://infosec.exchange/@JayeLTee" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>JayeLTee</span></a></span> and I will share the information with you (yes, I just volunteered him too). 😂 </p><p>Or if anyone is in the vicinity of their clinic, maybe stand outside with a sign that says, "Bolton Walk-In Clinic is leaking patient data and ignoring alerts!" That might get some attention... </p><p>Bonus points if you get someone in a Santa outfit to stand outside their clinic with a sign that says "Bolton Walk-In Clinic is naughty -- they are leaking patient data." </p><p><a href="https://infosec.exchange/tags/dataleak" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dataleak</span></a> <a href="https://infosec.exchange/tags/negligence" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>negligence</span></a> <a href="https://infosec.exchange/tags/healthsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>healthsec</span></a> <a href="https://infosec.exchange/tags/PHIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHIPA</span></a> <a href="https://infosec.exchange/tags/HIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HIPA</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/databreach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>databreach</span></a> <a href="https://infosec.exchange/tags/accountability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>accountability</span></a></p>
Dissent Doe :cupofcoffee:<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@hal8999" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>hal8999</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@brett" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>brett</span></a></span> As the article notes, an offense under <a href="https://infosec.exchange/tags/PHIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHIPA</span></a> can potentially result in imprisonment.</p>
Dissent Doe :cupofcoffee:<p>A patient at Woodstock Hospital in Ontario wants to know why the hospital never referred an insider-wrongdoing breach to the police. It's a fair question considering that the improper access affected 56 patients and took place between January and May. </p><p><a href="https://www.woodstocksentinelreview.com/news/local-news/patient-frustrated-by-woodstock-hospital-privacy-breach" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">woodstocksentinelreview.com/ne</span><span class="invisible">ws/local-news/patient-frustrated-by-woodstock-hospital-privacy-breach</span></a></p><p><a href="https://infosec.exchange/tags/databreach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>databreach</span></a> <a href="https://infosec.exchange/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a> <a href="https://infosec.exchange/tags/PHIPA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PHIPA</span></a> <a href="https://infosec.exchange/tags/OIP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OIP</span></a> </p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@brett" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>brett</span></a></span></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload