About 7,000 Albertans will receive notice that their personal health information may have been leaked

AHS says the doctor was using a personal email account to do official business, which is a breach of policy

A physician at the Richmond Road Diagnostic and Treatment centre was the victim of a cyber-attack

CALGARY (660 NEWS) – Alberta Health Services says the personal information of about 7,000 Albertans is at risk after a physician improperly used a Gmail account to share health information.

AHS said the personal email account was recently hacked.

“This physician’s private, personal Gmail account was hacked by a cyber criminal, placing Alberta Health Service patient information at risk,” said Ted Braun, VP and Medical Director for southern Alberta. “This breach is completely unacceptable and should not have happened.”

It is against AHS protocol for a staff member to conduct official business on a personal account, and this doctor was not following the rules properly.

“Specifically [it] prohibits the use of personal emails and anything other than Alberta Health Services emails for anything related to AHS patients,” said Braun.

The physician worked at the Richmond Road Diagnostic and Treatment Centre in Calgary and only patients of this specific doctor are affected.

AHS said they’re working with the physician’s office to notify all affected patients of this potential privacy breach and are providing a staffed telephone line to provide information to anyone requesting further information or assistance.

Patients will start receiving letters in the next week detailing what has happened and what they can do.

At this time, there is no action that patients at the centre can take.

“They have to wait until the letter arrives, because there are tens of thousands of patients who have been seen at that site,” added Braun.

AHS is also working with police to determine who hacked the email and to see if they can recover any of the information.

Braun assured that AHS takes all efforts necessary to combat security risk, but a cybersecurity expert says they are in a tough spot.

“Well, the reality is health care is not resourced at all to deal with cybersecurity,” said David Shipley, CEO of Beauceron Security. “It’s really important that people recognize this is not a unique occurrence. This happens in health care organizations across the country, every day. It’s a symptom of a big problem.”

Braun said this underscores the importance of training staff about following email protocols properly, and Shipley agreed.

“It is incredibly risky to use these kinds of tools to share such intimate personal information,” Shipley pointed out. “And personal information is the most sought after information on the black market.”

To make matters worse, this is a much more concerning situation than if a credit card was stolen.

“Unfortunately, if it’s your intimate health care information, there’s not much you can do. I mean, if it’s the loss of a credit card, you can change your credit card,” Shipley said. “You can’t change your past medical history.”

And it’s not just criminals who might want your information, insurers could turn you down for care.

Braun added that AHS is cooperating fully in the investigation and apologizes for any concerns this may create.

“We also know that this physician in question is extremely remorseful that this breach has occurred, and he’s cooperating completely with us to ensure this does not happen again,” said Braun.

The physician will not be identified due to AHS policies.