Data security

September 21, 2017

AMA & EQUIFAX

In response to a data security breach, the Alberta Medical Association recently offered complimentary credit monitoring and identity theft protection for members with Equifax Canada, the world’s leading credit bureau.

On September 7 Equifax Inc. (USA) reported that it itself had experienced a security breach over the summer that compromised the private information of up to 143 million Americans, along with an undisclosed number of Canadians. The company has been tight-lipped about further details, including how many Canadians may have been exposed. Equifax Canada’s website said initially that “only a limited number of Canadians may have been affected” and “the breach is contained.”

Naturally, members have been asking questions about what this means for them. We thank all members who have been in touch with questions. The information below represents our best information at this time. Please don’t hesitate to contact us if you have further concerns or comments (email datasecurity@albertadoctors.org). We are monitoring this situation very carefully and will add details as we receive them. We aim to address all your concerns clearly and thoroughly.

Update from the Alberta Information and Privacy Commissioner (September 19, 2017) Equifax Inc. has been providing regular updates about its privacy breach to the Office of the Information and Privacy Commissioner. The number of affected Albertans, if any, is not known at this time. Equifax Inc. and Equifax Canada have committed to notifying all Canadians affected in writing as soon as possible. The company will also offer free credit monitoring to affected individuals. Meantime, the privacy commissioner’s office continues to monitor the steps being taken to respond to this breach. Under Alberta’s Personal Information Protection Act, organizations must report certain breaches to their office and the commissioner has the power to require organizations to notify affected individuals when a real risk of significant harm is identified. While Equifax continues to determine which Canadians may have been affected by this breach, there are some important points to consider: Do not use Equifax’s U.S. website to determine whether you may be affected. The site is for use by individuals with U.S. social security numbers. Canadians can contact Equifax at 1-866-699-5712 (English), 1-877-323-2598 (French) or email EquifaxCanadaInquiry@equifax.com. Updates may also be found at www.equifax.com. Equifax Canada also distributed a press release on September 19, 2017 with more information indicating that up to 100,000 Canadians may be affected. See the press release at equifax.mwnewsroom.com/press-release/Equifax-Provides-Canadians-with-Additional-Clarity-on-Cybersecurity-Incident-Involving-2187960#.WcE31x7u7o0. Once affected individuals have been identified, Equifax will not notify anyone by phone or email, only by letter. Hang up if someone calls claiming to be from Equifax, and do not click on links or provide personal information if an email appears to be related to the breach. Watch for potential identity fraud; take steps in case of suspicious financial activities Monitor activity on your credit cards and bank accounts, and report any unauthorized transactions or other issues immediately. If you identify a concern involving a theft or crime, report the incident to local police. Report any incidents involving a scam or fraud to the Canadian Anti-Fraud Centre. If you think you have been targeted by identity fraud, advise your bank and credit card companies as well as brokerages, or companies with which you have mutual funds, life insurance, etc. Close any accounts and cancel any cards that may be compromised.

AMA QUESTIONS AND ANSWERS

The AMA sought some additional independent advice to answer questions as best we can at the present moment. We have retained author and personal finance educator, Kelley Keehn, a best-selling, award-winning author of nine books. Her latest book is Protecting You and Your Money; A Guide To Avoiding Identity Theft and Fraud, published by the Chartered Professional Accountants of Canada.

I signed up for Equifax Canada credit monitoring service through the AMA. What does this mean to me?

There are two categories of information involved when you consider the Equifax breach.

1. Credit File information: Equifax (and the other Canadian credit bureau TransUnion) maintain Credit Files. In these files, credit bureaus collect and hold credit data for all Canadians over the age of 18 who have ever applied and/or obtained a credit card, mortgage, loan or other financial products.

2. Credit Monitoring Service information: Like you, some individuals have signed up for Equifax Credit Monitoring Service. In doing so, they have provided additional personal information in order that it can be monitored.

Based on the latest news from Equifax Canada, it is the Credit File information that has been compromised. The company also advises that this likely affects only Canadians who have financial dealings in the USA. There is no indication as yet that the Canadian Credit Monitoring Service information (that you would have submitted when you signed up for credit monitoring and identity theft insurance protection) has been compromised. Read more here.

Unfortunately, because of the first category, all Canadians over the age of 18 with any type of credit (including from banks, vehicle financing, etc.) need to be concerned about the Equifax breach and take the steps outlined above.

Should I cancel my membership with Equifax as a safeguard?

Remember that both Equifax and TransUnion have already collected and stored your personal data every time you have applied for credit in your name. This information is part of your Credit File used to generate your credit rating and cannot be erased.

Both companies offer credit monitoring and identify theft protection as well as other services. You can opt out/cancel these services if you’ve signed up for them. But doing so will not erase your Credit File.

Further, if you retain your credit monitoring service, you will receive an alert anytime there is a change to your Credit File. Experts continue to recommend using Equifax or TransUnion as a proactive step if your information has been compromised now, or is ever compromised in the future.

What else can I do to protect myself?

There are steps all Canadians should take now, whether or not you are an Equifax customer.

1. Be wary of phishing scams.

Be wary of anyone contacting you by phone, email or text requesting information from you or encouraging you to click on links. Pay particular attention to anything appearing to come from Equifax: Equifax will never contact breach-affected customers by email or phone, only by letter. Never click on any link or attachment even if you think it’s coming from someone you know. Validate message legitimacy before clicking.

2. Sign up for pro-active fraud alerts.

Some news reports refer to putting a freeze on your Credit File as a protective measure. This service is not available in Canada. You can, however, put a proactive fraud alert on your account with both Equifax Canada and TransUnion Canada.

A proactive fraud alert (or identity verification alert) tells lenders to contact you and confirm your identity before they approve any applications for credit. The aim is to prevent any further fraud from happening (i.e., if someone was trying to open a credit card in your name or obtain a loan, etc.). There is a cost of $5 per credit reporting agency and the alerts last 6 years. This is an extra layer of protection that requires the granter of new credit to call you before doing so.

To do this, contact Equifax Canada at 1.800.465.7166 and press option 2 to place an alert on your file. To reach TransUnion’s Fraud Victims Resources contact them at 1.800.663.9990.

3. Monitor your regular mail.

If any regular Canada Post mail goes missing, this could be a red flag that a thief is diverting your mail elsewhere. Also look out for new mailings and collection notices. The latter could tip you off that someone is applying for credit in your name.

4. Passwords and PINs

Consider changing passwords and PINs now, then again at regular intervals. Also consider strengthening the complexity of your passwords. Do not share passwords and PINS with others.

Consider using two-factor authentication for all your important online accounts. In addition to a password, many online accounts provide the added security feature of a second confirmation using text, email or a phone app. Contact your service providers for more information on this capability.

Contact your financial institution(s) and ask them if you can change your verification information. Many, by default, use your mother’s maiden name as a means of verifying your identity.

5. Other proactive steps.

Check your credit report regularly for anomalies. Check with Equifax Canada and TransUnion Canada at least once per year or more frequently if possible.

Avoid carrying social insurance numbers, passports and birth certificates with you unless needed.

Disclaimer: This document is intended for educational purposes only. The information is believed to be accurate and correct, however, this situation is still developing. Please consult your own financial or legal counsel before acting on any information provided here or elsewhere. 

---

September 7, 2017

Equifax data breach

Dear Member

A few hours ago, media began reporting that the Equifax USA has been hacked. Equifax has stated that they have “identified unauthorized access to limited personal information for certain UK and Canadian residents.” This is still being investigated. Here is one news story (or you can Google “Equifax news” for other coverage). http://news360.com/article/419022408

You will recall that the AMA reported a data security breach in May. A forensic audit subsequently found that no AMA member information had been compromised. To provide extra protection for members, we offered complimentary credit monitoring through Equifax Canada for a two-year period to all members.

Upon hearing about the Equifax USA cyber-attack today, we immediately reached out to our Canadian Equifax service. We will maintain close contact with them in the days ahead and communicate as further information becomes available.

This news will be an added frustration and anxiety for members who availed themselves of the Equifax offer at our suggestion. I apologize and hope to have more information for you very soon.

Yours truly

Mike Gormley

---

June 22, 2017

Forensic Report update

Dear Member:

On May 16, I reported to you that the AMA had experienced a data security breach. There have been numerous emails on the subject since then. To review these, see the updates below this post.

I am writing today with good news arising from the forensic audit conducted as a result of the breach. You will find the details in the attached document, but to summarize:

The AMA engaged the Cyber Security Team at PricewaterhouseCoopers (PwC) to investigate the breach. The team was tasked with investigating:
(i) Whether any AMA data was accessed by the cyber-attacker
(ii) Whether there was any evidence of unauthorized removal of AMA data from the server

Through their investigative actions, PwC found:

(i) There was no evidence of unauthorized access of AMA data
(ii) There was no evidence of unauthorized offloading of AMA data
This outcome comes as a relief to all concerned. Nonetheless, the AMA will undertake a comprehensive review of our processes and policies to identify areas of improvement within our data protection strategy. Findings and recommendations will be reviewed by the AMA’s Committee on Financial Audit.

Although the results of the investigation conclude that no member data has actually been compromised, we continue to strongly encourage you to sign up for Equifax Complete™ Premier Plan credit monitoring service including identity theft insurance. You can sign up by August 31, 2017 for two year’s coverage at no charge.

I am told that numerous physicians have been in touch to report that their credit cards had been compromised around the time of the breach or since then. However, no current credit card data was ever involved in our incident, so those physicians have been compromised from other sources. Digital theft is ubiquitous and increasing in frequency. Although the investigation determined that no member data was compromised in this case, you can still benefit from the substantial protection of the Equifax offering. You should have received an email on May 30 (and a subsequent letter via Canada Post) containing your personal Activation Code. If you cannot locate this code now, please reply to this email.

I wish once again to extend my sincere apologies for the anxiety and inconvenience this event has caused.

Thank you.

Sincerely,

Mike Gormley

---

May 26, 2017 update

 

Equifax credit monitoring

Dear Member

As promised, I am writing to provide you with the information you need to sign up for Equifax Premium Credit monitoring service including $50,000 in identity theft insurance. In response to the data security breach we have experienced – and as we have been reporting to you – the Alberta Medical Association has purchased the service for each member to be provided at no charge for two years.

STEPS AND TIPS FOR SIGNING UP FOR EQUIFAX

We suggest you sign up at your earliest convenience. You may, however, do so anytime before August 31, 2017. We strongly encourage you to read our steps and tips before doing so.

• http://myservices.equifax.ca/prem

You should have received an email on May 30 providing your personal Activation Code. If you have not received this please email datasecurity@albertadoctors.org.   

1. Prepare for signing up.

Before signing up for the monitoring service, you may want to have the following personal information on hand to make the process easier. Part of the process includes verifying your identity through a series of questions on your financial and contact history.

a. Bank account numbers and institutions
b. Credit cards
c. Banking/Loan/Mortgage information and history
d. Your Social Insurance Number (optional. See point 2.) 
e. Addresses and phone numbers (current and recent)

2. Should I provide my SIN?

To ensure you get the most out of your plan, you may wish to provide your Social Insurance Number (SIN) as part of the sign-up process in order to have it monitored for fraudulent activity through the Internet Scanning service. Although providing your SIN during sign up is optional, providing it after sign up involves having to call the hotline to speak to a representative and possibly faxing/mailing in proof of identity. Further, providing your SIN helps speed up the enrolment and verification process. Keep in mind that Equifax already has your SIN as a credit bureau agency, but cannot use it without your authorization.

3. Turn on key features of the plan after signing up.

Not all features of the Equifax Complete™ Premier Plan are turned on by default, including Internet Scanning and the lost wallet service. Further, once turned on, these services need to be set up by providing relevant personal information. Ensure you review, turn on and set up any services you wish to use after you have signed up.

You can find all available features in the ‘Your Features’ box on the main page once you’ve signed into the Equifax service.

4. How to add your bank account information.

Within Internet Scanning you may wish to add bank account information to your profile alert settings in order to have accounts monitored for fraudulent use. To add bank accounts you will need your account number and your transit/financial institution numbers. You can get these numbers off your cheques or from your bank directly. (Some online banking and mobile banking apps also provide these numbers.)

When adding your information, combine your transit and financial institution numbers together with the transit number first, followed by the institution number. Note that the system does not accept spaces or dashes so do not include these. You can click the More Info link beside the input boxes for help pulling the correct number off your cheque.

For further information

Questions about Equifax, credit monitoring products, signing up or trouble shooting:

• 1.800.871.3250
  - 6 a.m. to 10 p.m. Alberta time, seven days per week
  - This is the Equifax regulated call center
  - Please note: Another number appears on the Equifax website (1.877.493.8785). This is the same service/center.

Questions about the AMA breach:

• 780.482.2626
  - 8 a.m. to 4 p.m. Alberta time, five days a week except statutory holidays
  - These representatives can answer questions about the breach, but do not have access to credit file information and cannot help you with enrollment, etc.

Final comments

Once again, I regret the inconvenience and anxiety this breach has caused. We continue our investigation and will keep you informed about what we learn. In the meantime, we hope that this credit monitoring service will help restore your peace of mind regarding your credit information.

Sincerely,

Mike Gormley
Executive Director

P.S. Please note that you will also receive this offer by Canada Post mail. We are using multiple channels to help ensure that this information is placed in your hands. 

---

May 25, 2017 update

Dear Member

You should have received emails from me on May 16 and 18 advising that the AMA has had a data security breach.

This is to confirm that we are very close to making the Equifax Complete™ Premier Plan credit monitoring service (including identity theft insurance) available. Again, this offering will be available at no charge to all members for a two-year period.

While we had hoped to launch this week, we want to be extra diligent – and also try to ensure that you have a seamless experience when you access the service. This has meant taking a few more days to do things carefully.

The Equifax service and call center should be available early next week. You will receive a personalized activation code and all the information you need to get started. We are communicating this information in multiple ways to help ensure we get this information in your hands. Once the service is available and the call center is open, you can find your code four ways:

• In the email that we will send to you announcing that the service is available and the call center is open
• On your personal member dashboard at albertadoctors.org
• In a letter that we are mailing via Canada Post to every member (in case these emails are missed)
• If you lose your number or can’t access it through these other means, via the AMA at our regular phone numbers 780.482.2626, toll free 1.800.272.9680 (during office hours)

Thank you for your patience. Our investigation of the breach continues. We still do not have any evidence that any information was actually accessed. However, until we can be sure and until you can set up your personal credit monitoring service, please continue to exercise vigilance over your bank accounts. Credit card numbers should not be involved but please take your normal care with those accounts. In case of any suspicious activity, immediately notify your bank and the RCMP’s Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/index-eng.htm with the direct link to reporting an incident of fraud: http://www.antifraudcentre-centreantifraude.ca/reportincident-signalerincident/index-eng.htm

Thank you.

Sincerely,
Mike Gormley

---

May 19, 2017 update and Frequently Asked Questions

Dear Member

I am writing to provide you with an update about the data security breach I reported Tuesday, May 16 that affects members and employees of the Alberta Medical Association.

The AMA has contracted with Equifax, the leading national credit bureau. We are purchasing a comprehensive credit monitoring package for each member and employee. It will be available to you at no charge for a two-year period. With Equifax Complete™ Premier Plan you can:

• Monitor your credit and receive regular reports and access to your Equifax credit score to notify you of unexpected changes.
• Work with a dedicated Customer Care Representative who will answer your questions.
• Help protect your information including your social insurance number, bank accounts, home and work addresses and credit and banking history.
• Help minimize exposure including Internet scanning and dark web monitoring,
• Help reduce financial risk with up to $50,000 identity theft insurance.

The call center and Customer Care Representatives will be available very soon and we will let you know when it happens. In the meantime, we thought you might be interested in some frequently asked questions. You can review them here: https://www.albertadoctors.org/data-security

While awaiting availability of the credit monitoring service over the next week, we recommend you take the steps already suggested:

• Keep an eye on your bank accounts and credit cards and if you note any unusual activity, contact your bank immediately.
• In case of suspicious activity, you should also immediately notify the RCMP’s Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/index-eng.htm with the direct link to reporting an incident of fraud: http://www.antifraudcentre-centreantifraude.ca/reportincident-signalerincident/index-eng.htm

Again, I apologize for the breach and the inconvenience it has caused. We continue to investigate to understand the complete nature of the breach and its implications. We are working very hard to minimize the impact of the incident and will keep you informed.

Sincerely
Michael A. Gormley
Executive Director

The AMA is offering members two years of free premium credit monitoring service with Equifax. The service includes a call centre staffed by experienced Customer Care representatives who will be able to answer questions you may have.

FAQ

The call center will be up and running very soon and we will let you know when it happens. In the meantime, here are some questions and answers we have compiled for you. We hope you find them helpful. Watch for information about activating your Equifax account.

1. HAS MY INFORMATION BEEN BREACHED?

As of today, we know that data was exposed. We have no evidence yet that any data has actually been accessed, but we are acting in terms of the worst-case scenario.

The exposed data has now been secured and we have engaged legal and security experts to assist with the investigation to ensure we can provide answers as soon as possible.

We will email as we have more information. Please check for latest updates anytime at https://www.albertadoctors.org/data-security

2. WHAT SHOULD I DO WHILE I AM WAITING TO LEARN MORE?

We are committed to providing updates as frequently as possible. In the interim, please continue to be vigilant in monitoring your personal and banking information.

• Keep an eye on your bank accounts and credit cards and if you note any unusual activity, contact your bank immediately. 
• In case of suspicious activity, you should also immediately notify the RCMP’s Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/index-eng.htm with the direct link to reporting an incident of fraud: www.antifraudcentre-centreantifraude.ca/reportincident-signalerincident/index-eng.htm 
• We encourage you also to sign up for the Equifax Complete™ Premier Plan credit monitoring that is being offered (at no charge for a two year period to all members) by the AMA. You will receive an activation code by email the week of May 23-26. If you have not received your code by then, please email datasecurity@albertadoctors.org

3. HAVE EXTERNAL PARTIES BEEN NOTIFIED?

An official report has been submitted to Office of the Information and Privacy Commissioner of Alberta (OIPC). We have secured legal counsel and as the investigation proceeds, we will notify other parties as needed.

4. WHAT IS THE AMA DOING TO RESOLVE THIS ISSUE?

All electronic files have been removed from the compromised environment, and operations with the vendor have ceased until further investigation has occurred.

AMA teams continue to work diligently to investigate the breach and assess the risk. A forensic investigation team has been engaged to do a full analysis to determine the nature of the virus and the scope of impact.

We are in ongoing communications with legal, privacy and credit monitoring experts to provide the best possible support for our members and employees.

We encourage you also to sign up for the Equifax Complete™ Premier Plan credit monitoring that is being offered (at no charge for a two year period to all members) by the AMA. You will receive an activation code by email the week of May 23-26. If you have not received your code by then, please email datasecurity@albertadoctors.org

5. HOW WAS THE INCIDENT DISCOVERED AND WHO DISCOVERED IT?

The vendor noticed server performance issues which triggered an investigation. The investigation revealed the presence of a virus.

6. WHY DID IT TAKE AMA FOUR DAYS TO LET MEMBERS KNOW?

We learned of the breach late Friday afternoon. The subsequent lag was due to necessary investigation and due diligence. We also were in communication with the Office of the Information and Privacy Commissioner, legal counsel and information breach experts.

7. WHAT KIND OF RECORDS WERE INVOLVED?

The files that were exposed are PDF versions of quantities of paper documents. These files are widely varied and may include: applications for membership renewals; benefit programs like Continuing Medical Education, Parental Leave Program; committee expense and honoraria payment forms; etc.

8. WHY CAN’T YOU TELL ME NOW EXACTLY WHAT WAS IN THERE?

The files that were exposed consist of thousands of pages of these various forms and documents. In order to identify exactly what information was compromised for a single member, we would have to go through each file one page at a time. We will assess the need to do so once we have the results of the forensic audit, but it will take some time.

9. WHY DOES AMA RETAIN THIS INFORMATION?

Canada Revenue Agency and other regulatory bodies require the AMA to retain the data for a specified period of time. Our grant agreements with Alberta Health for benefit programs also have extensive and lengthy retention requirements.

10. WHAT CREDIT CARD INFORMATION WAS INVOLVED AND WHY WERE YOU STORING THOSE NUMBERS?

At present we do NOT believe that credit card data has been compromised. The limited amount of credit card numbers on file were dated and would have expired already. We encourage you to exercise your normal vigilance over credit card statements and also to sign up for the Equifax Complete™ Premier Plan credit card monitoring that is being offered at no charge for a two year period to all members.

We no longer store credit card numbers and have not done so for years. We are, however, still required to retain those records due to Canada Revenue Agency requirements and other terms of our many grant agreements with Alberta Health. For example, many of the benefit program agreements require us to retain complete records for 10 years after the expiration of a program

11. DID YOU ALLOW OR PERMIT THE SUBCONTRACTOR OF THE THIRD PARTY VENDOR TO HAVE ACCESS TO THE FILES?

No. That access was extended through the third party primary contractor.

12. DID YOU HAVE A CONFIDENTIALITY AGREEMENT WITH THAT CONTRACTOR?

We had an agreement with the primary contractor who engaged the sub-contractor, both bound to the terms of that agreement.

13. WAS FINANCIAL DATA RELATED TO HEALTH INSURANCE COMPROMISED?

No.

14. WERE ANY OF MY PASSWORDS EXPOSED?

No passwords of any sort were involved.

15. THE AMA HAS MY BANK ACCOUNT INFO. WOULD YOU RECOMMEND THAT I CLOSE THIS ACCOUNT IMMEDIATELY?

Not at this time, but carefully monitor your bank accounts until such time as you can sign up for the credit monitoring service that the AMA has now purchased for all members.

16. MY BANK CONTACTED ME ABOUT SUSPICIOUS ACTIVITY ON MY CREDIT CARD WHICH OCCURRED ON THE EXACT SAME DATE AND TIME, MAY 12. DID THAT ARISE FROM THE BREACH?

This was probably un-related since credit card information we still hold is out of date. We would not have a current credit card number on file.

17. DOES THIS HAVE ANYTHING TO DO WITH THE CYBERATTACKS BEING REPORTED IN THE NEWS IN MANY COUNTRIES?

No. This appears to be an unrelated incident.

---

May 16, 2017

Alberta Medical Association security alert: Reporting breach of member information

What has happened

The AMA contracts with a third-party service to convert paper-based files to electronic format. Late Friday afternoon (May 12) we learned that a subcontractor of a third-party vendor who provides this service has been the victim of a cyber-attack. As a result, some AMA files stored on the server were exposed because of that vulnerability.

We wish to apologize to the membership for this unfortunate event. We have been engaged in investigation and exploring options since then and today are writing to advise you of what has transpired.

The risk to you and what we are doing in response

Across a variety of types of digitized files that were temporarily stored on the third party server, a significant amount of member and employee personally identifiable information has been exposed. This information is sensitive. In a worst case scenario where multiple elements have been exposed, it is likely of sufficient nature to enable risk of fraud or identity theft. Including but not limited to: names; personal and professional addresses; T-4s, bank and credit card information; and demographic details.

As of today, we know that the server where the data resided was compromised. We don’t know whether the data was accessed inappropriately, only that it could have been. If it was, we don’t know to what extent. The AMA is taking all necessary steps to address this situation, including investigation through a forensic audit. Here are some other things that are underway.

• All AMA digital files have been pulled from the server. 
• We are consulting with legal, privacy and breach-recovery experts. 
• We will review all related processes against learnings from this event to help prevent future incidents. 
• We have reported the incident to the Office of the Information and Privacy Commissioner are receiving guidance on steps to take

What you can do now

We understand that all members will be anxious to know exactly what information has been affected. Other than knowing the general categories as mentioned above, with thousands of pages of variable documents involved, we simply cannot tell you today the impact on an individual level. The aforementioned forensic audit will help us determine next steps in this regard.

We will provide additional information within a few days. In the meantime, to be safe, we suggest that you keep an eye on your bank accounts and credit cards and if you note any unusual activity, contact your bank immediately. You should also immediately notify the RCMP’s Canadian Anti-Fraud Centre: http://www.antifraudcentre-centreantifraude.ca/index-eng.htm with the direct link to reporting an incident of fraud: http://www.antifraudcentre-centreantifraude.ca/reportincident-signalerincident/index-eng.htm

We hope to coordinate communication with members so we can be sure we are aware of all issues and questions.

If you have questions while awaiting our next communication, please email datasecurity@albertadoctors.org. We will post all updates on this page.

Our commitment

We will learn as much as can be learned and maintain clear and regular communication with you as we work through this event. Again, we sincerely regret what has happened. We pledge to do our utmost in response on your behalf.