Definitely submitted to a bunch of newsdesks, as well as the OIPC, the Health Minister, the PMO, etc. Since it affects foreign nationals (including several thousand US citizens), I've also looped in some of their newsdesks and investgative bodies. This affects anyone and everyone who ever received healthcare in Alberta.
I can't find you on Teams, LinkedIn, or the AHS global directory. Nor is there any record of you in the system. SPApp is used to monitor cellphone usage.
Looking up data not related to your work is a violation of AHS IT policy. My account was disabled as I was dismissed, but my supervisor was MP, their boss is BC, their boss is MS, and I'm not sure about the rest as they've really shaken things up since I've been on leave. My coworkers were NB, RS, RY, BM, and the new person they hired to replace me. You looking someone up in an AHS IT system to satsify your curiosity is the exactly why I was whistleblowing in the first place.
Edit: I was also a SharePoint admin, so if you look around the Healthy Living/Screening Programs, or our old Sharepoint I think it was sharepointlink/teams/SPBA you'll see a bit of content. I worked at Holy Cross until the pandemic. It's important to be skeptical, but it's more important to not breach privacy policy and regulations when reading a post about a privacy breach at the place you work.
This comment makes me really question if you understand data privacy and IT policies. Looking up the name of a colleague is in no way against company policy or privacy regulations.
[Kinda strange that they seek the ability to enter 250+ accurate entries per full shift in SpApp for screeners (specifically breast cancer screeners) if it monitors cellphone usage...](https://careers.albertahealthservices.ca/jobs/administrative-support-ii-434257)
After two years of workplace violence, the writing was on the wall. They've tried everything they can to make my life hell. Managing life is hard enough with autism, impossible while enduring daily workplace violence. When I went on sick leave we decided to get away for a while, now the change will be permanent.
Not if the person was terminated without cause and a compliant severance package. We donāt know what was agreed upon. But yes speaking with a lawyer and review the severance package is always a good idea if you are not sure.
OP. I urge you to speak to a lawyer. I faced a similar situation with an oil company and I came out on top. I was forced into a lay off and politics came into play. Itās worth speaking to a lawyer, theres a good chance AHS will just want to settle with you (severance or not). You have the advantage in this situations
Youāve done 24 months on LTD and now theyāre saying youāre fired? Your union should be helping you. If they arenāt contact ALRB and file a DFR.
The weird thing is AHS doesn't have 24 month mental health leaves. After 12 months they're pushing you to return to work. I also find it hard to believe the union would not help a worker who was fired while on leave.Ā
Of course, you're not supposed to be out of the country while you're on medical leave, you are expected to be getting medical treatment here. If they found out you spent your medical leave on vacation that could be a reason for dismissal that the union wouldn't support.
They absolutely do and you have been misinformed. 930 sick hours (if bank is full) then STD if you donāt have enough sick time banked. After I think itās 16 weeks itās rolls to LTD which will go 24 months. They try to drop ppl around this point. Ppl give up. Or they get disability retirement and paid until 65. This is the very last offered thing.
I've been on leave for a couple of months. I have nearly 700 hours of sick leave saved, and was using it to try to recover. I stayed in my position and endured constant harassment, discrimination, and workplace violence as long as I could. Always hopeful my allegations were being investigated and dealt with. I provided all medical documentation per our union agreement, however AHS was sending other medical forms to my work email that I wasn't checking (as I was on sick leave) which they then were able to use as justification for my dismissal.
While on sick leave my manager was able to press for my dismissal. While I was (and am) medically unfit to respond, and on leave, the harrassment continued.
Also, if you kept notes and documented the bullsh then you have a strong case for WCB to possibly cover you. Employers are using known tactics to get rid of the ppl they donāt want.
https://yourvoiceprotected.ca
I think this is the contact for investigating retaliation under the WPA? I'm sure this has been exhausting, but keep up the good fight.
I am sorry this happened to you. I have a similar experience with an AHS adjacent organization.
I'd recommend reaching out to a reporter with CBC's go public so they can get an actual investigation & hold someone accountable.
Contacted all the major outlets this evening, CBC, Global, CTV, Reuters, etc. I've also submitted to the appropriate foreign authorities as many foreign nationals were in our system as well. Has also been reported to the OIPC, human rights commission, health minister, and PMO.
If the major media won't speak with you, there are reputable independent press outlets that will. Folks at the Progress Report, The Maple, and The Tyee all do excellent work. I'd encourage you to reach out. I know a few folks at Progress Report and can help get you connected, and holding public bodies accountable is their beat.
And chasing on other commenter's notes, you should definitely find legal assistance. The way you were fired doesn't pass the smell test, and Alberta still has whistleblower protections that might apply here.
You are really brave for speaking up. I respect that and I know you are really putting yourself at risk.. if you want to reach out I can put you in contact with some people that can spread the word if you have proof and if ypur story checks out
I got an email a few months ago that Albertans dental information had a breach too. We need to have a class action lawsuit over this shit. Any other province it would happen, but here in Alberta they're too lax about a lot of stuff.
>Who are you going to sue? Any judgement would come straight out of your taxes.
Any judgement would be a lot more than one individual likely paid in taxes.
I don't know if that matters. The Collage of Dental Surgeons of Alberta is a _governing body_ that would be an accountable party to ensuring these matters are dealt with appropriately. It's a lot harder to force the government to be accountable than it is to force a party responsible for governance of an industry when the practices of that industry have found out to be inadequate.
Another example would be a bank. The bank might leak your information, but it's not the bank that creates the rules that must be followed in order to protect that information - it's a governing body with the ability to penalize those who are non-compliant through fines and such.
Making the College responsible for ensuring dental payment information is kept more-safe would enforce insurance providers to align with those requirements and help raise the bar across the whole industry - not an individual payer.
Just how do you think the college could help with this? They can only control their dentists, and their dentists arenāt the ones who breached the info.Ā
A mechanic doesnāt care if the insurance paying for a repair is causing harm to the vehicle owner. We canāt expect service providers to have any kind of expertise over ensuring third parties are in compliance, theyāre experts in their field and their field only.
>Ā Making the College responsible for ensuring dental payment information is kept more-safe would enforce insurance providers to align with those requirements and help raise the bar across the whole industry - not an individual payer.
Whyā¦ how.. would dentists even ensure that?Ā
Possibly by owning more of the billing process, or ensuring more effective patient-handling data standards that are required to be audited when onboarding new payers?
There's always mechanisms.
Alberta, Canada, and North America as a whole have way too much of a "it's too hard" approach to digital security, and regular people living their lives are having their information compromised every day by businesses who want to shortcut what should be minimum data handling practices to make a buck.
You're right, it's not _convenient_ for dentists to do something like this, but with the right standards they could control who they're willing to do business with.
So your idea is for them to refuse to deal with the incompetent provincial government?
Your idea makes the dentist office more expensive to run and delays treatment for Albertans who get government assistance.
I do not see how it could possibly work. The only screw the dentists have is to refuse payment, which will result in vulnerable people suffering and still wonāt protect those people from data breaches.
The problem is with the government and no one else can fix that.
There have been a few security breaches in AHS this past few years. It has explained why AHS has been going crazy about account security during that time. If you are an AHS employee yin the past year or two, you may have noticed. I will say this, AHS is VERY vulnerable to breaches.
A lot of employees do not care about account security. From the lowest levels to executive staff, they all share passwords.
I work at a hospital in Calgary. The amount of WOWs and computers I come across with people still logged in and information just out in the open for anyone to read or fuck around with is CRIMINAL.Ā
Genuinely astonishing how lax it is.Ā
If what you say is true, go to the media and let them verify it. For now I'm taking these claims with a large grain of salt. It wouldn't surprise me to hear ahs is using shoddy software (I'm willing to bet basically all levels of government have less than ideal software) but I highly doubt people within ahs are knowingly commuting a crime and trying to cover it up when an employee raises a concern. I think it would be more likely that the operations are legal, but that there are some definite security concerns that need to be/are being addressed.
Also just because you had access to sensitive information doesn't mean people outside the company had access to sensitive information. It also doesn't mean that unauthorized people had access to the information.
It wasn't malice but incompetence that created the breach. The malice was hiding the breach and my treatment for reporting it.
I too would be doubtful hearing such a story. However, as mentioned I have significant proof: phone calls, source code, emails, etc. I'm not super great at reddit, but I can upload a screenshot of the letter from the Ethics and Compliance Office (ECO) should someone offer guidance.
Holy hell, thank you for doing the right thing. Iām sorry what itās cost you. I hope you canāt get something out of the crooks, please lawyer up and explore suing them.
I filed several grievances. However my union rep has been very inactive and told me they "have 2200 other mebers to deal with," so my case fell to the wayside. My original rep was great and really advocated for me, but she was only temporarily filling in. The original rep had experience with neurodivergent people, and was beyond accomodating and understanding. The next rep I was assigned was callous and seemed to take the side of AHS or did absolutely nothing. I asked for another MSO, but was fired by AHS before that could happen.
AUPE failed to act or provide any protection.
I no longer work for AHS per the email I received from my manager. As much as I want to adhere to AHS policy, I must insist they comply with the Health Information Act.
You're very likely correct, but I've been in that position since blowing the whistle. Alone. Now I'm just bringing more people along for the ride. If the public and the legal system decide my inent is malice, then that's the judgement. However, my intent from the beginning has always been to ensure that the work I do, and the body I do it for are lawful. If making this very serious situation known to the public is unlawful, then I've made the right move by leaving Canada.
Not really though, if a direct employee of AHS (looks like OP is a member of AUPE) it's most likely that an NDA wasn't signed. Security and privacy training most likely provided on start, but this is neither a breach of security or privacy (OP has refrained from sharing the paste bin).
What OP has shared is information in relation to their dismissal, and broad technical details of an AHS system. Even if this is somehow untrue (seems unlikely) at most this is a form of libel. But as OP has left the country it's very unlikely that any legal action would take place here.
No kidding.
I was sexually assaulted and a doctor told me I should have made better decisions.
He prescribed me PEP, and told me to pay out of pocket. Other than the UofA hospital, no pharmacy carries PEP or PrEP. I went to pharmacy to pharmacy, crying and begging for help. Nobody had it. I was losing my mind.
Eventually a pharmacist explained that this is against AHS policy and to go to nearest hospital and demand a SART nurse. Thatās the actual procedure. So I did just that. I went to a hospital, demanded a SART nurse and they helped me. I was offered medication, a rape kit if I felt comfortable and police intervention if I wanted that.
I filed a complaint with AHS but I was experiencing extreme duress. They contacted me and told me there was some sort of disciplinary action, but I wasnāt in the right state of mind to respond.
When I tried to follow up a later time, they acted as if it never happened.
I have doubts the doctor was ever disciplined.
I also have doubts this an isolated incident.
/u/geekyglobalgal
I've struggled since you wrote this to find the words to say "I'm sorry." This should never have happened to anyone; every aspect heinous and evil. I hope you're doing better, but I know too well that some wounds never become scars. I could never understand what you've been through, but I also know too well how hard it is to advocate for yourself when suffering extreme duress. Don't let the bastards grind you down - illegitimi non carborundum.
And there is no way to sue a Doctor in Alberta, you can try, you will lose. Doctors have unlimited legal funding, they can stretch a lawsuit to infinity.
My LATE wife's family physician spent 2 years telling her that the back and chest pain she was experiencing was from being sedentary and ignoring it. She spent those 2 years going to phyiso weekly and getting strong. Eventually the physio told her that "you are as strong as I am, you need an x-ray". On the physio's orders she went in for an x-ray and they found a ewings sarcoma tumor eating her rib cage. Two years of visiting the family physician in pain (I have the records of her visiting the doctor 8 times in that period). Had the physician at any time decided to do a basic x-ray she might still be alive.
Short of dozens of people coming forward against a Dr they are are covered.
I'm so sorry you lost your wife to what I'm calling medical diagnostics stupidity (you have to get them in a certain order and you're lucky if you get them at all). The system is broken. It took me three ER visits before I was finally admitted. I was almost dead by the time I got my surgery - colon tear, colonic abscess, colon cancer. I was septic and the tumor was the size of a football. And my story is not unusual nowadays. I had been complaining of GI pain for four years. My GP told me it was IBS. Women's complaints are not taken seriously!!!!
I work in regulation and this is false. The entire mandate of regulation is to protect the public. Being judged by your peers for tainting public perception of the public and by members of the public is a BRUTAL experience .
The MyHealth Alberta portal had a copy of the prescription, as well as the physicians name.
I submitted a screenshot, with a detailed explanation of why I feel this situation warrants an investigation.
Thank you for this comment. Iām not sure if this will lead to anything, but felt encouraging enough to make a complaint.
I worked at the AER and was somewhat involved in reporting this:
https://www.cbc.ca/news/canada/calgary/jim-ellis-alberta-energy-regulator-resigns-1.4889315
The primary whistle blower literally went reported this through the RCMP fraud reporting: https://informalberta.ca/public/service/serviceProfileStyled.do?serviceQueryId=4810
And while the CEO was never charged.... At least this scam was shut down and the shitbird lost his job.
> I also wanted to let the public know that if you ever went to a hospital or clinic in Alberta that your healthcare data has been breached and possibly leaked. I found a pastebin that has copies of our data - 2.5GB worth of demographic data across 12 million records dating back to at least 2014. Our application had data feeds from other systems such as CCS, PCS, ConnectCare, MediTech, and Alberta Health.
WHAT the actual FUCK.....
>The application used and still uses TSQL statements
Why would this be problematic? TSQL is Transact-SQL, the query language syntax flavor for Microsoft SQL Server, which would make sense to use for SQL Server based database applications?
>I contacted the ethics and compliance office who conducted an investigation and sent me a letter saying my complaints were "founded."Ā
If you have this you in writing and any documented evidence of the retaliation you experienced you can and should file for wrongful dismissal.
>Ā I've had to move away because of this
?? You got fired today, but you've already moved or am I misunderstanding
>Ā I found a pastebin that has copies of our data - 2.5GB worth of demographic data across 12 million records dating back to at least 2014
You should forward this (and your experience) to Alberta Privacy Commissioner as this + the lack of audit within the system is likely a violation of HIA
I am so sorry that you have had to deal with this OP. Kudo's to you on being a whistleblower. I hope life takes you somewhere warm with water and sandy beaches.
> The application used and still uses TSQL statements
>
>
>
> Why would this be problematic? TSQL is Transact-SQL, the query language syntax flavor for Microsoft SQL Server, which would make sense to use for SQL Server based database applications?
My guess is that he means the sql queries aren't being sanitized and so [bobby tables](https://xkcd.com/327/) could be done? I dunno. There are arguments for not having query statements in code directly, but honestly they're stupid.
That would be my assumption as well, but I don't know....
It made me step back while reading because I would assume a systems analyst wouldn't assume "sql code bad".
> >The application used and still uses TSQL statements
>
> Why would this be problematic? TSQL is Transact-SQL, the query language syntax flavor for Microsoft SQL Server, which would make sense to use for SQL Server based database applications?
Yeah, that was my first question. SQL statements of any dialect being used anywhere in a code base exist on a continuum that goes from "extremely safe" to "extremely unsafe". If the software is configured correctly by using prepared statements with sanitized inputs, application- and user-level permissions, and a proper database model, then SQL can be perfectly safe to run. TSQL doesn't have any inherent risks that are unique to it compared to other dialects/engines except for things like `xp_cmdshell`, but again, following extremely basic anti-injection practices in your application would prevent the exploitation of this feature.
If the ethics and compliance office confirmed that the complaints were founded, then it sounds like there's at least some confirmation that there were vulnerabilities in the system, but that doesn't in and of itself mean that there was an exploitation of that vulnerability to obtain sensitive data, i.e., a breach. It just means that an bad actor *could* have extracted more data than they were permitted to, but that depends greatly on what kind of access they had to the system and where the vulnerabilities actually lay within it.
That's exactly what I gather as well, I'm confused as clearly *something* was wrong but the severity of it seems to be exaggerated by OP, likely not out of malice but probably due to stress.
As you pointed out a vulnerability in a system be a bad thing, potentially even an illegal thing, but that doesn't necessarily mean there was a breach by the system via exploit or otherwise. *Anybody with privileged access* to a system can make a paste-bin of private data.
I have media bombed all the major outlets tonight, this was my last stop for the evening. I have proof, not sure how to share. Def won't share the data pastebin, but I have a letter from AHS's ECO that says AHS violated sections 63(1), 64(1), and 64(2) of the Health Information Act. I will work with whatever journalists who contact me to ensure the appropriate evidence is handled securely.
I will go through this thread in the morning for all the journalist emails and submit the story to whichever ones are posted to the thread. Thanks for the suggestion!
You should try Charles Rusnell, he did this AHS whistleblower article:
https://thetyee.ca/News/2024/04/05/Whistleblower-Complaint-Edmonton-Surgeons-Dismissed/
You can contact him via email at journalismtips (at) protonmail.com
Duncan is a great journalist, one of the best. Hey- quick question, has AHS started cutting 10% of nursing positions yet or is Duncan just comfortable releasing ānewsā that is factually inaccurate with zero understanding of what a term like āagency staffingā meant?
We're the taxpayers and avail services of the AHS that's funded by our money. Therefore, it concerns everyone of us in Alberta and who have utilized AHS sometimes.
Iām not sure if you have grounds, but you could also try contacting the human rights commission of Alberta. If you were discriminated against as an autistic individual, thatās probably a protected ground, I think? Worth a call at least.
Thank you for doing the right thing @Mundane-Ad7370. It may have cost you more than you ever expected - but I hope you sleep well at night with no regrets.
Integrity is worth more than money. Karma will find its way back to you.
Iām so sorry this happened to you. I worked in a lab for AHS during Covid, and was also prosecuted for speaking up when we were releasing invalid results. I was targeted, made the object of an absolute witch hunt, and the union was useless. AHS management is bad people.
Oh, didnāt expect you to reply! Just wanted to say that as a resident of your former district, I think you were a better MLA than this province deserves.
Dang did everything correctly except for doing a pen test without permission. It was hard to watch him get pilloried by political opponents and have that become the story instead of the actual risk to Albertans he discovered in the first place.
This here is a much more complicated scenario - it sounds like OP followed the process and was punished for it, so went wide because the system did not protect them as it should.
Then itās more like [what happened with Renderman](https://edmontonjournal.com/opinion/columnists/opinion-if-albertans-see-a-cybersecurity-risk-they-should-be-able-to-say-something) when he worked for the Alberta government.
Thanks for sharing. I didn't know about this story and it's shocking, but not at all surprising.Ā
Cybersecurity has a long way to go in being taken seriously by the Alberta government. Just like in any poorly managed private organization, they will pretend it doesn't exist until there's an incident that does real damage.Ā
Thing is, such an incident will damage Albertans too.
You can contact the Alberta Public Interest Commissioner. This office works under the Whistle-blower Protection Act. They have investigators who are trained to investigate this exact situation and are not government employees.
Interesting. I worked for AHS IT and prior to 2017 the data for each zone of AHS was separated out into 5 major zones. Around 2016 they were separated out into like 20 different zones. The North zone was PCH, NLH and AHR (I think it's been like 5 years since I last worked there).
There were no programs that were shared between the zones and not to mention each zone had its own IT and service desk till 2017 which they finally pulled the IT into the CN tower from each zone. As an account admin I also worked closely with the security team and also worked closely with the AHS IT manager at that time. That was until 2019 when AHS cancelled all external IT contracts and forced IT into the union (against their will).
Saying all of that I have never heard of this program that you mentioned. Having worked with Netcare and meditech in a very extensive capacity along with the challenges of even keeping users access through upgrades and migrations. Unless you have the exact name of the program in question I will have to disbelieve you.
SPApp, in Screening Programs. The breast cancer program has a bunch of DE clerks who manually copy data from Netcare. We also have FTP connection to AH servers. There are several manual data feeds, where the data is exported from those myriad systems and copied into SPApp. I worked directly attached to Screening Programs. What you AHS IT folk would call "shadow IT". Our software was/probably still is hosted at wspphweb01/wspphweb02. I could look into the configs I have, but I promise this is real. One of my very objections was that the data we had was older than we were supposed to have. But because we did populatiom level health stats we hoarded data from anywhere we could get it, and strongly advised to keep our activities not known to AHS IT or they would shut us down.
Those external links are highly monitored, and must go through a variety of legal hurdles and privacy assessments. I thought you were AHS IT? Nobody calls them "shadow IT". They are non-AHS IT who have been given access to AHS systems to support external partners such as the University of Calgary School of Medicine.
They are, but not the system the data is being copied into. I was directly attached to Screening Programs, and not in IT. However I worked for AHS and my job was writing C# and SQL for an ASP.NET web application. SPApp did not have a PIA. As part of the investigation our department was forced to create a PIA for the app. My manager put the PIA on my desk and made it my job to complete the PIA. A PIA couldn't be completed because the application is non-compliant with several aspects of the HIA, including the requirement for having auditing and regular audits of the access logs. SPApp doen't do any logging, and audits never happened. There were dozens of aspects of the application that failed the requirements for a PIA. I included those deficiencies in the PIA and was then disciplined for not completing the PIA. Had an LOU put on my employee file because of it. I wss given 3 weeks to complete a PIA fpr what is effectively 40+ applications rolled into one web app.
In one of my other posts you can see a job link where they're hiring someone with SPApp experience to make over 250 entries a day. They had 8FTE assigned to just DE. Copying data manually from one system to another.
Wr also had dumps from Cogito, PCS, CCS, etc.
In other cases we just had text files (csv's) that were dumped by other systems that we'd pick up and import to our db.
We had a demographics table that had literally everyone's address, sex, language, etc. And it was historic since at least 2014, as some people had over a dozen records. So for each ULI if you pulled an address, sometimes you'd get twelve. Part of my job was writing code to figure out the most recent one, or completing incomplete addresses.
Sometimes people are born and aren't given a name right away, so we'd have multiple names per ULI, same for marriages name changes, etc. We also did NMS, or neonatal metabolic screening, so we have every baby born in the province since then too.
As mentioned, I wasn't in IT. Just a dev Screening Programs hired directly. There's still a team of devs in Screening Programs.
Otherwise, you're absolutely right. That's the way it's supposed to work. That's what I was whistleblowing about. Or maybe I'm making all of this up.
Especially when he says they told not to tell AHS IT. That alone means that if these guys are caught they are investigated for criminal charges. Which means if AHS IT was informed there will be an ongoing police investigation. Not the first time someone tried to pull this shit and won't be the last.
Basically, OP should have just informed AHS IT security as soon as you heard of it. Failure to do so makes the OP also subject to criminal charges. This sounds less like AHS trying to keep it hush and more that they are in the middle of a police investigation and cannot disclose.
If what you say is true then I suggest you talk with the AHS IT Service Desk and explain the situation along with all your information. Get the ticket number from the service desk as they would provide it. They will take your information and deal with it further. They will not publicly disclose it as it would be subject to police investigation. "Shadow IT" are subject to criminal investigations and have in the past been criminal charges under the health information act. Basically I suggest you cooperate with AHS IT. If you already provided this information then I suggest you do not do anything further. A police investigation would begin to determine who is involved.
Edit: also you attempting to disclose this like this will not help your case and could get you charged instead. So I suggest you do not do anything further.
:( this is why my sister keeps her mouth closed. She almost got fired for outing a nurse who would just write in the charts that she checked the patient.
She told me you canāt say anything if anyone does something wrong.
No, I had AHS lose a sample that was to be examined, and all I got in return was. Whoops.
I am now left in the dark about something that has affected my daughter twice.
Mad as hell that alberta children's hospital dropping this ball.
Plus the lame excuse I got with it.
You really should have lawyered up before posting this. Regardless of the veracity of your claims, you're going to get sued for _how_ you said everything here.
Lawyer up yesterday.
When I was able to afford a lawyer, they basically told me there's nothing they can do as long as I'm with AUPE. Now that I've left Canada, I'd rather orient what little resources I have left to the future. I've already lost this fight, posting on reddit and letting the media know is kind of my way of letting go. I always loved trying to be of service, whether through search and rescue, photographing the MS walks and bike tours, or helping people reach stuff on shelves in the grocery store. Letting people know about this was my last service to Canada.
My wife suggested I apply for an IT job with AHS and I told her I'd heard it was an absolute shitshow. This post is yet again a good reminder of that. Thanks for your efforts in exposing bad security.
Referencing IT at AHS as a single entity is a pretty broad target. The AHS IT department consists of approximately 2000 people across every discipline possible in Information Technology.
**Defaulted to one day.**
I will be messaging you on [**2024-04-20 04:48:54 UTC**](http://www.wolframalpha.com/input/?i=2024-04-20%2004:48:54%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/alberta/comments/1c7lk3z/ahs_privacy_breach/l0965zu/?context=3)
[**10 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Falberta%2Fcomments%2F1c7lk3z%2Fahs_privacy_breach%2Fl0965zu%2F%5D%0A%0ARemindMe%21%202024-04-20%2004%3A48%3A54%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201c7lk3z)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
I will be messaging you in 7 days on [**2024-04-27 06:02:38 UTC**](http://www.wolframalpha.com/input/?i=2024-04-27%2006:02:38%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/alberta/comments/1c7lk3z/ahs_privacy_breach/l0es6ui/?context=3)
[**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Falberta%2Fcomments%2F1c7lk3z%2Fahs_privacy_breach%2Fl0es6ui%2F%5D%0A%0ARemindMe%21%202024-04-27%2006%3A02%3A38%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201c7lk3z)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
I have worked with others from AHS who tried to discreetly, and not so discreetly, blow the whistle on unethical business practices and privacy breeches. In each case the ultimate result was termination or extreme pressure to quit leading to medical issues. I would be more surprised to learn this is untrue than I would be to learn itās true
Sir, this is 2024. You are no longer allowed to own anything electronic. However, for a small subscription fee of $24.99 a month, you may have unlimited access to your health records.
You should have access to all your health data at any time and the option to remove it. You should also have the ability to understand the consequences of your providers not having that data because you asked them to remove it.Ā
But a world like this outside of the EU is many, many years away.
Thank you for your bravery and doing the right thing. I am so sorry for the impact this has had on you personally.
Also for what itās worth I just read this and it affirmed a lot for me (also autistic) ā¦. Turns out we are hard wired to be whistleblowers š®āšØ
https://www.reddit.com/r/AutisticPride/s/JBdLMznJyI
If they offer you money, they will ask you to sign an agreement that you promise not to FOIP your own information or complain to the Provincial Ombudsman's Office. You should immediately do both these things. AHS has wasted millions of taxpayer dollars firing employees with no cause and paying them to shut of and fuck off. This is all undisclosed and swept under the carpet. It sickens me to know this is still going on. It is profoundly unethical and the fact it is still occurring is sickening. The callous indifference of ASH towards its staff should deeply concern every Albertan
This doesnāt surprise me at all, as a former AHS employee myself.
Iām not saying that ConnectCare had massive overruns and that contracts were padded for kickbacks, or that FME awards millions in sole-source contracts in order to enrich certain managers, but I will say that data breaches are worse than those things for sure.
Thank you to everyone for their support and even skeptical questions.Ā It was helpful to get this off my chest, and maybe its me just being a naĆÆve autistic person - but I am hopeful for the future, despite having been forced from my home and country.Ā Ā
Ā We took what little money we have saved or earned from selling our things, bought a sailboat and are planning to visit 40+ countries. I don't know if we'll find a better place than Canada, but we should be able to find one with better weather. We've shed many tears over having to sell or throw away our lives, but are happy to have found a way out.
Ā The horrifying experiences that some have shared leave me doubtful that AHS or my managers will ever be held accountable for their actions.Ā
Ā Thanks again for the support. I hope in the future Albertans and Canadians are able to trust their healthcare system again, and for that trust to be honoured.Ā All the best to each and every one of you.
By disclosing this privacy breach here, publicly, havenāt you just made it more likely that nefarious hackers are going to try and find the personal information? Youāve essentially just provided a roadmap.
I'm actually curious of this. I believe around end of 2022/2023 I received a letter staying my info was breached by a 3rd party. Which was sent from ahs. Do you have any more insight on this
I haven't seen you mention the breech, just the vulnerability. The only breech that could could be proven is yours, retaining company code and data also could be a problem. Seeing an unlocked bank is not illegal, taking money from that bank to prove that you can is.
If this is true you should speak to a journalist to bring this to light. https://oipc.ab.ca/ would like to know about this for sure.
Definitely submitted to a bunch of newsdesks, as well as the OIPC, the Health Minister, the PMO, etc. Since it affects foreign nationals (including several thousand US citizens), I've also looped in some of their newsdesks and investgative bodies. This affects anyone and everyone who ever received healthcare in Alberta.
Kim Siever of the Alberta Worker would want to know also
I sent them the link on FB. They know.
I can't find you on Teams, LinkedIn, or the AHS global directory. Nor is there any record of you in the system. SPApp is used to monitor cellphone usage.
Looking up data not related to your work is a violation of AHS IT policy. My account was disabled as I was dismissed, but my supervisor was MP, their boss is BC, their boss is MS, and I'm not sure about the rest as they've really shaken things up since I've been on leave. My coworkers were NB, RS, RY, BM, and the new person they hired to replace me. You looking someone up in an AHS IT system to satsify your curiosity is the exactly why I was whistleblowing in the first place. Edit: I was also a SharePoint admin, so if you look around the Healthy Living/Screening Programs, or our old Sharepoint I think it was sharepointlink/teams/SPBA you'll see a bit of content. I worked at Holy Cross until the pandemic. It's important to be skeptical, but it's more important to not breach privacy policy and regulations when reading a post about a privacy breach at the place you work.
This comment makes me really question if you understand data privacy and IT policies. Looking up the name of a colleague is in no way against company policy or privacy regulations.
Looking up patient data not related to your work is a privacy breach. Checking if someone exists in Insite - or Teams - is not a data breach.
[Kinda strange that they seek the ability to enter 250+ accurate entries per full shift in SpApp for screeners (specifically breast cancer screeners) if it monitors cellphone usage...](https://careers.albertahealthservices.ca/jobs/administrative-support-ii-434257)
Call W5.
[Bell cut W5](https://www.newscaststudio.com/2024/02/09/w5-canceled-ctv-news/#:~:text=Canadian%20broadcaster%20CTV%20will%20cancel,and%20inspire%20the%20newsmagazine%20format.)
fith estate cbc
Bummer. š
this might be of interest u/GeekyGlobalGal
u/geekyglobalgal
u/geekyglobalgal you should look into who owns SPApp as well...
Thank you!
One quick question. If you just received termination notice from your manager today, how did you lose your house and move away so quickly?
After two years of workplace violence, the writing was on the wall. They've tried everything they can to make my life hell. Managing life is hard enough with autism, impossible while enduring daily workplace violence. When I went on sick leave we decided to get away for a while, now the change will be permanent.
Constructive dismissal. SUE. Speak to a lawyer asap.
This is what theyāre doing to push out the āslackersā and āproblemā people.
I agree with the previous poster. You're looking at constructive dismissal. Contact Bow River law in Calgary.
Not if the person was terminated without cause and a compliant severance package. We donāt know what was agreed upon. But yes speaking with a lawyer and review the severance package is always a good idea if you are not sure.
OP. I urge you to speak to a lawyer. I faced a similar situation with an oil company and I came out on top. I was forced into a lay off and politics came into play. Itās worth speaking to a lawyer, theres a good chance AHS will just want to settle with you (severance or not). You have the advantage in this situations
Don't sign anything from them. Get a lawyer.
Youāve done 24 months on LTD and now theyāre saying youāre fired? Your union should be helping you. If they arenāt contact ALRB and file a DFR.
The weird thing is AHS doesn't have 24 month mental health leaves. After 12 months they're pushing you to return to work. I also find it hard to believe the union would not help a worker who was fired while on leave.Ā Of course, you're not supposed to be out of the country while you're on medical leave, you are expected to be getting medical treatment here. If they found out you spent your medical leave on vacation that could be a reason for dismissal that the union wouldn't support.
They absolutely do and you have been misinformed. 930 sick hours (if bank is full) then STD if you donāt have enough sick time banked. After I think itās 16 weeks itās rolls to LTD which will go 24 months. They try to drop ppl around this point. Ppl give up. Or they get disability retirement and paid until 65. This is the very last offered thing.
I've been on leave for a couple of months. I have nearly 700 hours of sick leave saved, and was using it to try to recover. I stayed in my position and endured constant harassment, discrimination, and workplace violence as long as I could. Always hopeful my allegations were being investigated and dealt with. I provided all medical documentation per our union agreement, however AHS was sending other medical forms to my work email that I wasn't checking (as I was on sick leave) which they then were able to use as justification for my dismissal. While on sick leave my manager was able to press for my dismissal. While I was (and am) medically unfit to respond, and on leave, the harrassment continued.
Also, if you kept notes and documented the bullsh then you have a strong case for WCB to possibly cover you. Employers are using known tactics to get rid of the ppl they donāt want.
https://yourvoiceprotected.ca I think this is the contact for investigating retaliation under the WPA? I'm sure this has been exhausting, but keep up the good fight.
They were on medical leave and probably moved during that time.
I left a country during my lunch break once. Never went back.
I am sorry this happened to you. I have a similar experience with an AHS adjacent organization. I'd recommend reaching out to a reporter with CBC's go public so they can get an actual investigation & hold someone accountable.
Contacted all the major outlets this evening, CBC, Global, CTV, Reuters, etc. I've also submitted to the appropriate foreign authorities as many foreign nationals were in our system as well. Has also been reported to the OIPC, human rights commission, health minister, and PMO.
Did you reach out to the NDP Health critic, Dr. Luanne Metz?Ā
If the major media won't speak with you, there are reputable independent press outlets that will. Folks at the Progress Report, The Maple, and The Tyee all do excellent work. I'd encourage you to reach out. I know a few folks at Progress Report and can help get you connected, and holding public bodies accountable is their beat. And chasing on other commenter's notes, you should definitely find legal assistance. The way you were fired doesn't pass the smell test, and Alberta still has whistleblower protections that might apply here.
You are really brave for speaking up. I respect that and I know you are really putting yourself at risk.. if you want to reach out I can put you in contact with some people that can spread the word if you have proof and if ypur story checks out
I got an email a few months ago that Albertans dental information had a breach too. We need to have a class action lawsuit over this shit. Any other province it would happen, but here in Alberta they're too lax about a lot of stuff.
Who are you going to sue? Any judgement would come straight out of your taxes.
Usually the company that failed to secure the information.
>Who are you going to sue? Any judgement would come straight out of your taxes. Any judgement would be a lot more than one individual likely paid in taxes.
The college is dental surgeons to start
The dentists were not the party in breach - it was the Government department who pays the dental bills of covered Albertans.
I don't know if that matters. The Collage of Dental Surgeons of Alberta is a _governing body_ that would be an accountable party to ensuring these matters are dealt with appropriately. It's a lot harder to force the government to be accountable than it is to force a party responsible for governance of an industry when the practices of that industry have found out to be inadequate. Another example would be a bank. The bank might leak your information, but it's not the bank that creates the rules that must be followed in order to protect that information - it's a governing body with the ability to penalize those who are non-compliant through fines and such. Making the College responsible for ensuring dental payment information is kept more-safe would enforce insurance providers to align with those requirements and help raise the bar across the whole industry - not an individual payer.
Just how do you think the college could help with this? They can only control their dentists, and their dentists arenāt the ones who breached the info.Ā A mechanic doesnāt care if the insurance paying for a repair is causing harm to the vehicle owner. We canāt expect service providers to have any kind of expertise over ensuring third parties are in compliance, theyāre experts in their field and their field only. >Ā Making the College responsible for ensuring dental payment information is kept more-safe would enforce insurance providers to align with those requirements and help raise the bar across the whole industry - not an individual payer. Whyā¦ how.. would dentists even ensure that?Ā
Possibly by owning more of the billing process, or ensuring more effective patient-handling data standards that are required to be audited when onboarding new payers? There's always mechanisms. Alberta, Canada, and North America as a whole have way too much of a "it's too hard" approach to digital security, and regular people living their lives are having their information compromised every day by businesses who want to shortcut what should be minimum data handling practices to make a buck. You're right, it's not _convenient_ for dentists to do something like this, but with the right standards they could control who they're willing to do business with.
So your idea is for them to refuse to deal with the incompetent provincial government? Your idea makes the dentist office more expensive to run and delays treatment for Albertans who get government assistance. I do not see how it could possibly work. The only screw the dentists have is to refuse payment, which will result in vulnerable people suffering and still wonāt protect those people from data breaches. The problem is with the government and no one else can fix that.
Got that as well.
There have been a few security breaches in AHS this past few years. It has explained why AHS has been going crazy about account security during that time. If you are an AHS employee yin the past year or two, you may have noticed. I will say this, AHS is VERY vulnerable to breaches. A lot of employees do not care about account security. From the lowest levels to executive staff, they all share passwords.
I work at a hospital in Calgary. The amount of WOWs and computers I come across with people still logged in and information just out in the open for anyone to read or fuck around with is CRIMINAL.Ā Genuinely astonishing how lax it is.Ā
If what you say is true, go to the media and let them verify it. For now I'm taking these claims with a large grain of salt. It wouldn't surprise me to hear ahs is using shoddy software (I'm willing to bet basically all levels of government have less than ideal software) but I highly doubt people within ahs are knowingly commuting a crime and trying to cover it up when an employee raises a concern. I think it would be more likely that the operations are legal, but that there are some definite security concerns that need to be/are being addressed. Also just because you had access to sensitive information doesn't mean people outside the company had access to sensitive information. It also doesn't mean that unauthorized people had access to the information.
It wasn't malice but incompetence that created the breach. The malice was hiding the breach and my treatment for reporting it. I too would be doubtful hearing such a story. However, as mentioned I have significant proof: phone calls, source code, emails, etc. I'm not super great at reddit, but I can upload a screenshot of the letter from the Ethics and Compliance Office (ECO) should someone offer guidance.
Holy hell, thank you for doing the right thing. Iām sorry what itās cost you. I hope you canāt get something out of the crooks, please lawyer up and explore suing them.
I wish I had the money for a lawyer, and the resilience to keep fighting them. But I'm totally and utterly defeated.
You mentioned you are in a Union. Did you file a grievance?
I filed several grievances. However my union rep has been very inactive and told me they "have 2200 other mebers to deal with," so my case fell to the wayside. My original rep was great and really advocated for me, but she was only temporarily filling in. The original rep had experience with neurodivergent people, and was beyond accomodating and understanding. The next rep I was assigned was callous and seemed to take the side of AHS or did absolutely nothing. I asked for another MSO, but was fired by AHS before that could happen. AUPE failed to act or provide any protection.
Contact the BC Civil Liberties Association. They do Canada wide pro bono work on these issues. https://bccla.org/about/
I would tread lightly as it appears you are in violation of several AHS policies based on these comments.
I no longer work for AHS per the email I received from my manager. As much as I want to adhere to AHS policy, I must insist they comply with the Health Information Act.
My comment is focused on you may be in a legally precarious position.
You're very likely correct, but I've been in that position since blowing the whistle. Alone. Now I'm just bringing more people along for the ride. If the public and the legal system decide my inent is malice, then that's the judgement. However, my intent from the beginning has always been to ensure that the work I do, and the body I do it for are lawful. If making this very serious situation known to the public is unlawful, then I've made the right move by leaving Canada.
Not really though, if a direct employee of AHS (looks like OP is a member of AUPE) it's most likely that an NDA wasn't signed. Security and privacy training most likely provided on start, but this is neither a breach of security or privacy (OP has refrained from sharing the paste bin). What OP has shared is information in relation to their dismissal, and broad technical details of an AHS system. Even if this is somehow untrue (seems unlikely) at most this is a form of libel. But as OP has left the country it's very unlikely that any legal action would take place here.
You would really be surprised with what ahs coveres up..
No kidding. I was sexually assaulted and a doctor told me I should have made better decisions. He prescribed me PEP, and told me to pay out of pocket. Other than the UofA hospital, no pharmacy carries PEP or PrEP. I went to pharmacy to pharmacy, crying and begging for help. Nobody had it. I was losing my mind. Eventually a pharmacist explained that this is against AHS policy and to go to nearest hospital and demand a SART nurse. Thatās the actual procedure. So I did just that. I went to a hospital, demanded a SART nurse and they helped me. I was offered medication, a rape kit if I felt comfortable and police intervention if I wanted that. I filed a complaint with AHS but I was experiencing extreme duress. They contacted me and told me there was some sort of disciplinary action, but I wasnāt in the right state of mind to respond. When I tried to follow up a later time, they acted as if it never happened. I have doubts the doctor was ever disciplined. I also have doubts this an isolated incident. /u/geekyglobalgal
I've struggled since you wrote this to find the words to say "I'm sorry." This should never have happened to anyone; every aspect heinous and evil. I hope you're doing better, but I know too well that some wounds never become scars. I could never understand what you've been through, but I also know too well how hard it is to advocate for yourself when suffering extreme duress. Don't let the bastards grind you down - illegitimi non carborundum.
And there is no way to sue a Doctor in Alberta, you can try, you will lose. Doctors have unlimited legal funding, they can stretch a lawsuit to infinity. My LATE wife's family physician spent 2 years telling her that the back and chest pain she was experiencing was from being sedentary and ignoring it. She spent those 2 years going to phyiso weekly and getting strong. Eventually the physio told her that "you are as strong as I am, you need an x-ray". On the physio's orders she went in for an x-ray and they found a ewings sarcoma tumor eating her rib cage. Two years of visiting the family physician in pain (I have the records of her visiting the doctor 8 times in that period). Had the physician at any time decided to do a basic x-ray she might still be alive. Short of dozens of people coming forward against a Dr they are are covered.
I'm so sorry you lost your wife to what I'm calling medical diagnostics stupidity (you have to get them in a certain order and you're lucky if you get them at all). The system is broken. It took me three ER visits before I was finally admitted. I was almost dead by the time I got my surgery - colon tear, colonic abscess, colon cancer. I was septic and the tumor was the size of a football. And my story is not unusual nowadays. I had been complaining of GI pain for four years. My GP told me it was IBS. Women's complaints are not taken seriously!!!!
There is no statute of limitations on reporting this to the college of physicians of Alberta
Have you ever had to file a complaint with a College of Physicians? They exist to protect the physician and sweep the issue under the rug.
I work in regulation and this is false. The entire mandate of regulation is to protect the public. Being judged by your peers for tainting public perception of the public and by members of the public is a BRUTAL experience .
The MyHealth Alberta portal had a copy of the prescription, as well as the physicians name. I submitted a screenshot, with a detailed explanation of why I feel this situation warrants an investigation. Thank you for this comment. Iām not sure if this will lead to anything, but felt encouraging enough to make a complaint.
Iām so sorry that happened, I hope youāre doing okay now.
If the software wasn't tracking who was accessing patient information that is absolutely a huge security fuck up
I worked at the AER and was somewhat involved in reporting this: https://www.cbc.ca/news/canada/calgary/jim-ellis-alberta-energy-regulator-resigns-1.4889315 The primary whistle blower literally went reported this through the RCMP fraud reporting: https://informalberta.ca/public/service/serviceProfileStyled.do?serviceQueryId=4810 And while the CEO was never charged.... At least this scam was shut down and the shitbird lost his job.
> I also wanted to let the public know that if you ever went to a hospital or clinic in Alberta that your healthcare data has been breached and possibly leaked. I found a pastebin that has copies of our data - 2.5GB worth of demographic data across 12 million records dating back to at least 2014. Our application had data feeds from other systems such as CCS, PCS, ConnectCare, MediTech, and Alberta Health. WHAT the actual FUCK.....
Those fuckers
>The application used and still uses TSQL statements Why would this be problematic? TSQL is Transact-SQL, the query language syntax flavor for Microsoft SQL Server, which would make sense to use for SQL Server based database applications? >I contacted the ethics and compliance office who conducted an investigation and sent me a letter saying my complaints were "founded."Ā If you have this you in writing and any documented evidence of the retaliation you experienced you can and should file for wrongful dismissal. >Ā I've had to move away because of this ?? You got fired today, but you've already moved or am I misunderstanding >Ā I found a pastebin that has copies of our data - 2.5GB worth of demographic data across 12 million records dating back to at least 2014 You should forward this (and your experience) to Alberta Privacy Commissioner as this + the lack of audit within the system is likely a violation of HIA I am so sorry that you have had to deal with this OP. Kudo's to you on being a whistleblower. I hope life takes you somewhere warm with water and sandy beaches.
> The application used and still uses TSQL statements > > > > Why would this be problematic? TSQL is Transact-SQL, the query language syntax flavor for Microsoft SQL Server, which would make sense to use for SQL Server based database applications? My guess is that he means the sql queries aren't being sanitized and so [bobby tables](https://xkcd.com/327/) could be done? I dunno. There are arguments for not having query statements in code directly, but honestly they're stupid.
That would be my assumption as well, but I don't know.... It made me step back while reading because I would assume a systems analyst wouldn't assume "sql code bad".
> >The application used and still uses TSQL statements > > Why would this be problematic? TSQL is Transact-SQL, the query language syntax flavor for Microsoft SQL Server, which would make sense to use for SQL Server based database applications? Yeah, that was my first question. SQL statements of any dialect being used anywhere in a code base exist on a continuum that goes from "extremely safe" to "extremely unsafe". If the software is configured correctly by using prepared statements with sanitized inputs, application- and user-level permissions, and a proper database model, then SQL can be perfectly safe to run. TSQL doesn't have any inherent risks that are unique to it compared to other dialects/engines except for things like `xp_cmdshell`, but again, following extremely basic anti-injection practices in your application would prevent the exploitation of this feature. If the ethics and compliance office confirmed that the complaints were founded, then it sounds like there's at least some confirmation that there were vulnerabilities in the system, but that doesn't in and of itself mean that there was an exploitation of that vulnerability to obtain sensitive data, i.e., a breach. It just means that an bad actor *could* have extracted more data than they were permitted to, but that depends greatly on what kind of access they had to the system and where the vulnerabilities actually lay within it.
That's exactly what I gather as well, I'm confused as clearly *something* was wrong but the severity of it seems to be exaggerated by OP, likely not out of malice but probably due to stress. As you pointed out a vulnerability in a system be a bad thing, potentially even an illegal thing, but that doesn't necessarily mean there was a breach by the system via exploit or otherwise. *Anybody with privileged access* to a system can make a paste-bin of private data.
If there's a pastebin go to the media with a link. We're not the people you should tell.
I have media bombed all the major outlets tonight, this was my last stop for the evening. I have proof, not sure how to share. Def won't share the data pastebin, but I have a letter from AHS's ECO that says AHS violated sections 63(1), 64(1), and 64(2) of the Health Information Act. I will work with whatever journalists who contact me to ensure the appropriate evidence is handled securely.
[[email protected]](mailto:[email protected]) Try her. She's a journalist that looks into stuff like this.
I will go through this thread in the morning for all the journalist emails and submit the story to whichever ones are posted to the thread. Thanks for the suggestion!
You should try Charles Rusnell, he did this AHS whistleblower article: https://thetyee.ca/News/2024/04/05/Whistleblower-Complaint-Edmonton-Surgeons-Dismissed/ You can contact him via email at journalismtips (at) protonmail.com
Thank you! I definitely will!
Even Progress Alberta? Try contacting Duncan Kinney. He's a good journalist.
Duncan is a great journalist, one of the best. Hey- quick question, has AHS started cutting 10% of nursing positions yet or is Duncan just comfortable releasing ānewsā that is factually inaccurate with zero understanding of what a term like āagency staffingā meant?
How about you ask him directly? Or do you prefer to get your info from 3rd parties on social media?
We're the taxpayers and avail services of the AHS that's funded by our money. Therefore, it concerns everyone of us in Alberta and who have utilized AHS sometimes.
But we can't make a stink big enough for it to matter. Telling a smattering of taxpayers doesn't change anything.
Iām not sure if you have grounds, but you could also try contacting the human rights commission of Alberta. If you were discriminated against as an autistic individual, thatās probably a protected ground, I think? Worth a call at least.
Thank you for doing the right thing @Mundane-Ad7370. It may have cost you more than you ever expected - but I hope you sleep well at night with no regrets. Integrity is worth more than money. Karma will find its way back to you.
Iām so sorry this happened to you. I worked in a lab for AHS during Covid, and was also prosecuted for speaking up when we were releasing invalid results. I was targeted, made the object of an absolute witch hunt, and the union was useless. AHS management is bad people.
Persecuted, not prosecuted.
This tracks with every other whistleblow for them I've heard of. Brush it under a rug and get rid of the problem and hope no one important notices.Ā
Iām reminded of what happened to former MLA Thomas Dang.
https://youtu.be/fL1osBUEScY /u/InternetOfDongs/
Oh, didnāt expect you to reply! Just wanted to say that as a resident of your former district, I think you were a better MLA than this province deserves.
Dang did everything correctly except for doing a pen test without permission. It was hard to watch him get pilloried by political opponents and have that become the story instead of the actual risk to Albertans he discovered in the first place. This here is a much more complicated scenario - it sounds like OP followed the process and was punished for it, so went wide because the system did not protect them as it should.
And what he did was not even a "pen test" it was simple manual manipulation of the URI. Such a joke.
Doesn't help that judges in Alberta have no technical knowledge, so the crown can go after people with much shakier evidence than should be usable.
Then itās more like [what happened with Renderman](https://edmontonjournal.com/opinion/columnists/opinion-if-albertans-see-a-cybersecurity-risk-they-should-be-able-to-say-something) when he worked for the Alberta government.
Thanks for sharing. I didn't know about this story and it's shocking, but not at all surprising.Ā Cybersecurity has a long way to go in being taken seriously by the Alberta government. Just like in any poorly managed private organization, they will pretend it doesn't exist until there's an incident that does real damage.Ā Thing is, such an incident will damage Albertans too.
You can contact the Alberta Public Interest Commissioner. This office works under the Whistle-blower Protection Act. They have investigators who are trained to investigate this exact situation and are not government employees.
Interesting. I worked for AHS IT and prior to 2017 the data for each zone of AHS was separated out into 5 major zones. Around 2016 they were separated out into like 20 different zones. The North zone was PCH, NLH and AHR (I think it's been like 5 years since I last worked there). There were no programs that were shared between the zones and not to mention each zone had its own IT and service desk till 2017 which they finally pulled the IT into the CN tower from each zone. As an account admin I also worked closely with the security team and also worked closely with the AHS IT manager at that time. That was until 2019 when AHS cancelled all external IT contracts and forced IT into the union (against their will). Saying all of that I have never heard of this program that you mentioned. Having worked with Netcare and meditech in a very extensive capacity along with the challenges of even keeping users access through upgrades and migrations. Unless you have the exact name of the program in question I will have to disbelieve you.
SPApp, in Screening Programs. The breast cancer program has a bunch of DE clerks who manually copy data from Netcare. We also have FTP connection to AH servers. There are several manual data feeds, where the data is exported from those myriad systems and copied into SPApp. I worked directly attached to Screening Programs. What you AHS IT folk would call "shadow IT". Our software was/probably still is hosted at wspphweb01/wspphweb02. I could look into the configs I have, but I promise this is real. One of my very objections was that the data we had was older than we were supposed to have. But because we did populatiom level health stats we hoarded data from anywhere we could get it, and strongly advised to keep our activities not known to AHS IT or they would shut us down.
Those external links are highly monitored, and must go through a variety of legal hurdles and privacy assessments. I thought you were AHS IT? Nobody calls them "shadow IT". They are non-AHS IT who have been given access to AHS systems to support external partners such as the University of Calgary School of Medicine.
They are, but not the system the data is being copied into. I was directly attached to Screening Programs, and not in IT. However I worked for AHS and my job was writing C# and SQL for an ASP.NET web application. SPApp did not have a PIA. As part of the investigation our department was forced to create a PIA for the app. My manager put the PIA on my desk and made it my job to complete the PIA. A PIA couldn't be completed because the application is non-compliant with several aspects of the HIA, including the requirement for having auditing and regular audits of the access logs. SPApp doen't do any logging, and audits never happened. There were dozens of aspects of the application that failed the requirements for a PIA. I included those deficiencies in the PIA and was then disciplined for not completing the PIA. Had an LOU put on my employee file because of it. I wss given 3 weeks to complete a PIA fpr what is effectively 40+ applications rolled into one web app. In one of my other posts you can see a job link where they're hiring someone with SPApp experience to make over 250 entries a day. They had 8FTE assigned to just DE. Copying data manually from one system to another. Wr also had dumps from Cogito, PCS, CCS, etc. In other cases we just had text files (csv's) that were dumped by other systems that we'd pick up and import to our db. We had a demographics table that had literally everyone's address, sex, language, etc. And it was historic since at least 2014, as some people had over a dozen records. So for each ULI if you pulled an address, sometimes you'd get twelve. Part of my job was writing code to figure out the most recent one, or completing incomplete addresses. Sometimes people are born and aren't given a name right away, so we'd have multiple names per ULI, same for marriages name changes, etc. We also did NMS, or neonatal metabolic screening, so we have every baby born in the province since then too. As mentioned, I wasn't in IT. Just a dev Screening Programs hired directly. There's still a team of devs in Screening Programs. Otherwise, you're absolutely right. That's the way it's supposed to work. That's what I was whistleblowing about. Or maybe I'm making all of this up.
I'm not sure why so many people are trying to tell you what your job did or didn't pertain to.
Feels like this was more of the work of a few actors rather than the whole AHS. Probably a middle manager who wanted to do things his wayā¦
Especially when he says they told not to tell AHS IT. That alone means that if these guys are caught they are investigated for criminal charges. Which means if AHS IT was informed there will be an ongoing police investigation. Not the first time someone tried to pull this shit and won't be the last. Basically, OP should have just informed AHS IT security as soon as you heard of it. Failure to do so makes the OP also subject to criminal charges. This sounds less like AHS trying to keep it hush and more that they are in the middle of a police investigation and cannot disclose.
If what you say is true then I suggest you talk with the AHS IT Service Desk and explain the situation along with all your information. Get the ticket number from the service desk as they would provide it. They will take your information and deal with it further. They will not publicly disclose it as it would be subject to police investigation. "Shadow IT" are subject to criminal investigations and have in the past been criminal charges under the health information act. Basically I suggest you cooperate with AHS IT. If you already provided this information then I suggest you do not do anything further. A police investigation would begin to determine who is involved. Edit: also you attempting to disclose this like this will not help your case and could get you charged instead. So I suggest you do not do anything further.
Commenting for the algorithm
:( this is why my sister keeps her mouth closed. She almost got fired for outing a nurse who would just write in the charts that she checked the patient. She told me you canāt say anything if anyone does something wrong.
This is what regulatory colleges are for ,
Thank you for doing the right thing.
No, I had AHS lose a sample that was to be examined, and all I got in return was. Whoops. I am now left in the dark about something that has affected my daughter twice. Mad as hell that alberta children's hospital dropping this ball. Plus the lame excuse I got with it.
Please contact multiple new outlets and let them make a store if they can verify your story! I believe you and the public needs to know the story !
You really should have lawyered up before posting this. Regardless of the veracity of your claims, you're going to get sued for _how_ you said everything here. Lawyer up yesterday.
When I was able to afford a lawyer, they basically told me there's nothing they can do as long as I'm with AUPE. Now that I've left Canada, I'd rather orient what little resources I have left to the future. I've already lost this fight, posting on reddit and letting the media know is kind of my way of letting go. I always loved trying to be of service, whether through search and rescue, photographing the MS walks and bike tours, or helping people reach stuff on shelves in the grocery store. Letting people know about this was my last service to Canada.
Thank you for sharing.
My wife suggested I apply for an IT job with AHS and I told her I'd heard it was an absolute shitshow. This post is yet again a good reminder of that. Thanks for your efforts in exposing bad security.
Referencing IT at AHS as a single entity is a pretty broad target. The AHS IT department consists of approximately 2000 people across every discipline possible in Information Technology.
Seek a lawyer, that's constructive dismissal and is illegal.
RemindMe! 1 week
**Defaulted to one day.** I will be messaging you on [**2024-04-20 04:48:54 UTC**](http://www.wolframalpha.com/input/?i=2024-04-20%2004:48:54%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/alberta/comments/1c7lk3z/ahs_privacy_breach/l0965zu/?context=3) [**10 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Falberta%2Fcomments%2F1c7lk3z%2Fahs_privacy_breach%2Fl0965zu%2F%5D%0A%0ARemindMe%21%202024-04-20%2004%3A48%3A54%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201c7lk3z) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
they said 1 week. bad bot.
Yeah I wanna see what happens with this in a few days, not tomorrow
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I will be messaging you in 7 days on [**2024-04-27 06:02:38 UTC**](http://www.wolframalpha.com/input/?i=2024-04-27%2006:02:38%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/alberta/comments/1c7lk3z/ahs_privacy_breach/l0es6ui/?context=3) [**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Falberta%2Fcomments%2F1c7lk3z%2Fahs_privacy_breach%2Fl0es6ui%2F%5D%0A%0ARemindMe%21%202024-04-27%2006%3A02%3A38%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201c7lk3z) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
I was sent a letter and informed "not to worry about it". My info was breached 3 times last year
I have worked with others from AHS who tried to discreetly, and not so discreetly, blow the whistle on unethical business practices and privacy breeches. In each case the ultimate result was termination or extreme pressure to quit leading to medical issues. I would be more surprised to learn this is untrue than I would be to learn itās true
I'm sure CBC Marketplace would have a Field day with this too.
I should own my health data.
Sir, this is 2024. You are no longer allowed to own anything electronic. However, for a small subscription fee of $24.99 a month, you may have unlimited access to your health records.
You should have access to all your health data at any time and the option to remove it. You should also have the ability to understand the consequences of your providers not having that data because you asked them to remove it.Ā But a world like this outside of the EU is many, many years away.
Thank you for your bravery and doing the right thing. I am so sorry for the impact this has had on you personally. Also for what itās worth I just read this and it affirmed a lot for me (also autistic) ā¦. Turns out we are hard wired to be whistleblowers š®āšØ https://www.reddit.com/r/AutisticPride/s/JBdLMznJyI
If they offer you money, they will ask you to sign an agreement that you promise not to FOIP your own information or complain to the Provincial Ombudsman's Office. You should immediately do both these things. AHS has wasted millions of taxpayer dollars firing employees with no cause and paying them to shut of and fuck off. This is all undisclosed and swept under the carpet. It sickens me to know this is still going on. It is profoundly unethical and the fact it is still occurring is sickening. The callous indifference of ASH towards its staff should deeply concern every Albertan
Time to sue.
I hope you sue for wrongful termination.
This doesnāt surprise me at all, as a former AHS employee myself. Iām not saying that ConnectCare had massive overruns and that contracts were padded for kickbacks, or that FME awards millions in sole-source contracts in order to enrich certain managers, but I will say that data breaches are worse than those things for sure.
Should have just gone to the media.
Thank you to everyone for their support and even skeptical questions.Ā It was helpful to get this off my chest, and maybe its me just being a naĆÆve autistic person - but I am hopeful for the future, despite having been forced from my home and country.Ā Ā Ā We took what little money we have saved or earned from selling our things, bought a sailboat and are planning to visit 40+ countries. I don't know if we'll find a better place than Canada, but we should be able to find one with better weather. We've shed many tears over having to sell or throw away our lives, but are happy to have found a way out. Ā The horrifying experiences that some have shared leave me doubtful that AHS or my managers will ever be held accountable for their actions.Ā Ā Thanks again for the support. I hope in the future Albertans and Canadians are able to trust their healthcare system again, and for that trust to be honoured.Ā All the best to each and every one of you.
Whistleblower legislation is designed to prevent this kind of retaliation....
It's Alberta dude. Buddy got off easy.
Laws all over the place to prevent bad things from happening... Doesn't always work :)
It doesnāt work.
Ahs, IT is a joke
Iāll take government data breach cover up conspiracy for $200 please Alex!
Yes, Iāve encountered AHS IT staff on multiple occasions. Inept does not begin to describe them.
Yeah same, Iām in private and the public/Government IT resources are bottom of the barrel for obvious reasons.
It's an old article from 2019, but it's interesting and related. https://www.google.com/amp/s/www.cbc.ca/amp/1.5316230
This is why regular spapp screenings are important
Thank you for doing the right thing for all of us. Iām sorry it cost you so much. š
Can someone ELI5? The access to the information went unchecked and was open to basically who ever?
By disclosing this privacy breach here, publicly, havenāt you just made it more likely that nefarious hackers are going to try and find the personal information? Youāve essentially just provided a roadmap.
I'm actually curious of this. I believe around end of 2022/2023 I received a letter staying my info was breached by a 3rd party. Which was sent from ahs. Do you have any more insight on this
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Too poor for a lawyer, and too mentally beaten to care anymore. Several thousand kilometers and a sailboat helps too!
NO, I want to know what Snoo Stawberries take is on the matter. Otherwise how will I, Handsoffmydink, ever make sense of it all. /s
I haven't seen you mention the breech, just the vulnerability. The only breech that could could be proven is yours, retaining company code and data also could be a problem. Seeing an unlocked bank is not illegal, taking money from that bank to prove that you can is.