Data security

May 18, 2017

Update and Frequently Asked Questions

Dear Member

I am writing to provide you with an update about the data security breach I reported Tuesday, May 16 that affects members and employees of the Alberta Medical Association.

The AMA has contracted with Equifax, the leading national credit bureau. We are purchasing a comprehensive credit monitoring package for each member and employee. It will be available to you at no charge for a two-year period. With Equifax Complete™ Premier Plan you can:

  • Monitor your credit and receive regular reports and access to your Equifax credit score to notify you of unexpected changes.
  • Work with a dedicated Customer Care Representative who will answer your questions.
  • Help protect your information including your social insurance number, bank accounts, home and work addresses and credit and banking history.
  • Help minimize exposure including Internet scanning and dark web monitoring,
  • Help reduce financial risk with up to $50,000 identity theft insurance.

The call center and Customer Care Representatives will be available very soon and we will let you know when it happens. In the meantime, we thought you might be interested in some frequently asked questions. You can review them here: https://www.albertadoctors.org/data-security

While awaiting availability of the credit monitoring service over the next week, we recommend you take the steps already suggested:

Again, I apologize for the breach and the inconvenience it has caused. We continue to investigate to understand the complete nature of the breach and its implications. We are working very hard to minimize the impact of the incident and will keep you informed.

Sincerely
Michael A. Gormley
Executive Director

The AMA is offering members two years of free premium credit monitoring service with Equifax. The service includes a call centre staffed by experienced Customer Care representatives who will be able to answer questions you may have.

FAQ

The call center will be up and running very soon and we will let you know when it happens. In the meantime, here are some questions and answers we have compiled for you. We hope you find them helpful. Watch for information about activating your Equifax account.

1. HAS MY INFORMATION BEEN BREACHED?

As of today, we know that data was exposed. We have no evidence yet that any data has actually been accessed, but we are acting in terms of the worst-case scenario.

The exposed data has now been secured and we have engaged legal and security experts to assist with the investigation to ensure we can provide answers as soon as possible.

We will email as we have more information. Please check for latest updates anytime at https://www.albertadoctors.org/data-security

2. WHAT SHOULD I DO WHILE I AM WAITING TO LEARN MORE?

We are committed to providing updates as frequently as possible. In the interim, please continue to be vigilant in monitoring your personal and banking information.

  • Keep an eye on your bank accounts and credit cards and if you note any unusual activity, contact your bank immediately. 
  • In case of suspicious activity, you should also immediately notify the RCMP’s Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/index-eng.htm with the direct link to reporting an incident of fraud: http://www.antifraudcentre-centreantifraude.ca/reportincident-signalerincident/index-eng.htm 
  • We encourage you also to sign up for the Equifax Complete™ Premier Plan credit monitoring that is being offered (at no charge for a two year period to all members) by the AMA. You will receive an activation code by email the week of May 23-26. If you have not received your code by then, please email datasecurity@albertadoctors.org

3. HAVE EXTERNAL PARTIES BEEN NOTIFIED?

An official report has been submitted to Office of the Information and Privacy Commissioner of Alberta (OIPC). We have secured legal counsel and as the investigation proceeds, we will notify other parties as needed.

4. WHAT IS THE AMA DOING TO RESOLVE THIS ISSUE?

All electronic files have been removed from the compromised environment, and operations with the vendor have ceased until further investigation has occurred.

AMA teams continue to work diligently to investigate the breach and assess the risk. A forensic investigation team has been engaged to do a full analysis to determine the nature of the virus and the scope of impact.

We are in ongoing communications with legal, privacy and credit monitoring experts to provide the best possible support for our members and employees.

We encourage you also to sign up for the Equifax Complete™ Premier Plan credit monitoring that is being offered (at no charge for a two year period to all members) by the AMA. You will receive an activation code by email the week of May 23-26. If you have not received your code by then, please email datasecurity@albertadoctors.org

5. HOW WAS THE INCIDENT DISCOVERED AND WHO DISCOVERED IT?

The vendor noticed server performance issues which triggered an investigation. The investigation revealed the presence of a virus.

6. WHY DID IT TAKE AMA FOUR DAYS TO LET MEMBERS KNOW?

We learned of the breach late Friday afternoon. The subsequent lag was due to necessary investigation and due diligence. We also were in communication with the Office of the Information and Privacy Commissioner, legal counsel and information breach experts.

7. WHAT KIND OF RECORDS WERE INVOLVED?

The files that were exposed are PDF versions of quantities of paper documents. These files are widely varied and may include: applications for membership renewals; benefit programs like Continuing Medical Education, Parental Leave Program; committee expense and honoraria payment forms; etc.

8. WHY CAN’T YOU TELL ME NOW EXACTLY WHAT WAS IN THERE?

The files that were exposed consist of thousands of pages of these various forms and documents. In order to identify exactly what information was compromised for a single member, we would have to go through each file one page at a time. We will assess the need to do so once we have the results of the forensic audit, but it will take some time.

9. WHY DOES AMA RETAIN THIS INFORMATION?

Canada Revenue Agency and other regulatory bodies require the AMA to retain the data for a specified period of time. Our grant agreements with Alberta Health for benefit programs also have extensive and lengthy retention requirements.

10. WHAT CREDIT CARD INFORMATION WAS INVOLVED AND WHY WERE YOU STORING THOSE NUMBERS?

At present we do NOT believe that credit card data has been compromised. The limited amount of credit card numbers on file were dated and would have expired already. We encourage you to exercise your normal vigilance over credit card statements and also to sign up for the Equifax Complete™ Premier Plan credit card monitoring that is being offered at no charge for a two year period to all members.

We no longer store credit card numbers and have not done so for years. We are, however, still required to retain those records due to Canada Revenue Agency requirements and other terms of our many grant agreements with Alberta Health. For example, many of the benefit program agreements require us to retain complete records for 10 years after the expiration of a program

11. DID YOU ALLOW OR PERMIT THE SUBCONTRACTOR OF THE THIRD PARTY VENDOR TO HAVE ACCESS TO THE FILES?

No. That access was extended through the third party primary contractor.

12. DID YOU HAVE A CONFIDENTIALITY AGREEMENT WITH THAT CONTRACTOR?

We had an agreement with the primary contractor who engaged the sub-contractor, both bound to the terms of that agreement.

13. WAS FINANCIAL DATA RELATED TO HEALTH INSURANCE COMPROMISED?

No.

14. WERE ANY OF MY PASSWORDS EXPOSED?

No passwords of any sort were involved.

15. THE AMA HAS MY BANK ACCOUNT INFO. WOULD YOU RECOMMEND THAT I CLOSE THIS ACCOUNT IMMEDIATELY?

Not at this time, but carefully monitor your bank accounts until such time as you can sign up for the credit monitoring service that the AMA has now purchased for all members.

16. MY BANK CONTACTED ME ABOUT SUSPICIOUS ACTIVITY ON MY CREDIT CARD WHICH OCCURRED ON THE EXACT SAME DATE AND TIME, MAY 12TH. DID THAT ARISE FROM THE BREACH?

This was probably un-related since credit card information we still hold is out of date. We would not have a current credit card number on file.

17. DOES THIS HAVE ANYTHING TO DO WITH THE CYBERATTACKS BEING REPORTED IN THE NEWS IN MANY COUNTRIES?

No. This appears to be an unrelated incident.

May 16th, 2017

Alberta Medical Association security alert: Reporting breach of member information

What has happened

The AMA contracts with a third-party service to convert paper-based files to electronic format. Late Friday afternoon (May 12) we learned that a subcontractor of a third-party vendor who provides this service has been the victim of a cyber-attack. As a result, some AMA files stored on the server were exposed because of that vulnerability.

We wish to apologize to the membership for this unfortunate event. We have been engaged in investigation and exploring options since then and today are writing to advise you of what has transpired.

The risk to you and what we are doing in response

Across a variety of types of digitized files that were temporarily stored on the third party server, a significant amount of member and employee personally identifiable information has been exposed. This information is sensitive. In a worst case scenario where multiple elements have been exposed, it is likely of sufficient nature to enable risk of fraud or identity theft. Including but not limited to: names; personal and professional addresses; T-4s, bank and credit card information; and demographic details.

As of today, we know that the server where the data resided was compromised. We don’t know whether the data was accessed inappropriately, only that it could have been. If it was, we don’t know to what extent. The AMA is taking all necessary steps to address this situation, including investigation through a forensic audit. Here are some other things that are underway.

  • All AMA digital files have been pulled from the server. 
  • We are consulting with legal, privacy and breach-recovery experts. 
  • We will review all related processes against learnings from this event to help prevent future incidents. 
  • We have reported the incident to the Office of the Information and Privacy Commissioner are receiving guidance on steps to take

What you can do now

We understand that all members will be anxious to know exactly what information has been affected. Other than knowing the general categories as mentioned above, with thousands of pages of variable documents involved, we simply cannot tell you today the impact on an individual level. The aforementioned forensic audit will help us determine next steps in this regard.

We will provide additional information within a few days. In the meantime, to be safe, we suggest that you keep an eye on your bank accounts and credit cards and if you note any unusual activity, contact your bank immediately. You should also immediately notify the RCMP’s Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/index-eng.htm with the direct link to reporting an incident of fraud: http://www.antifraudcentre-centreantifraude.ca/reportincident-signalerincident/index-eng.htm

We hope to coordinate communication with members so we can be sure we are aware of all issues and questions.

If you have questions while awaiting our next communication, please email datasecurity@albertadoctors.org. We will post all updates on this page.

Our commitment

We will learn as much as can be learned and maintain clear and regular communication with you as we work through this event. Again, we sincerely regret what has happened. We pledge to do our utmost in response on your behalf.

The Alberta Medical Association stands as an advocate for its physician members, providing leadership & support for their role in the provision of quality health care.