There was an EMS program privacy and security breach in the Prairie Mountain Health region.

More than 15-hundred patients and staff have been notified after a privacy breach at the regional health authority that covers all of Southwestern Manitoba.

Prairie Mountain issued the following release regarding the breach:

*There was a privacy/security breach of an internal Prairie Mountain Health (PMH) website used by Emergency Medical (ambulance) Services for educational and quality assurance purposes. The privacy breach involved Prairie Mountain Health patient information regarding ambulance transportation records by EMS staff from 2013 to this year.

* The privacy and security incident, which was discovered by PMH on April 5, 2017, involved personal information pursuant to FIPPA and personal health information pursuant to PHIA. Those impacted included PMH clients as well as PMH and affiliate employees in the northern part of PMH. It remains inconclusive on whether the records were actually accessed. However, the number of individuals at risk are 1176 clients and 453 PMH and affiliate employees. The information at risk of compromise included demographic and clinical information regarding clients and demographics and limited employment information regarding PMH and affiliate employees.

*It is our impression that the intent of the ‘hack’ was not targeted at accessing this information but rather to infect and transmit a virus into files maintained within this website. Although the likelihood is low based on how this information was stored on the site, we cannot exclude the possibility that identifiable personal and personal health information may have been, at minimum, viewed by the attacker, and/or copied. The information at risk was not stored in a way that would be easily extracted for further use by the attacker (i.e. an entire database was not compromised). It was limited to select files only and would have required going through each individual file and transposing, in the case of client information, hand written information.

*Written notifications were sent out to the affected PMH and affiliate staff on April 6th. Letters to affected patients were sent out starting on April 12th to around May 19th as current contact information was confirmed.

*Anytime there has been a compromise of personal or personal health information, we remain concerned. However, PMH carried out our best efforts to notify impacted individuals as soon as reasonably possible so that any necessary precautions could be taken.

*All necessary containment and prevention actions have been taken.