The CISSS de la Côte-Nord suffered a theft of encrypted data in November 2021 in the MRC of Sept-Rivières.
This leak occurred due to the theft of two computer equipment from a COVID-19 testing center.
It is not possible, for the moment, to specify whether the theft occurred in Sept-Îles or Port-Cartier, i.e. the two municipalities located in the MRC of Sept-Rivières since the CISSS has not not provide this information in the emails sent to TVA Nouvelles.
The stolen hard drives were “secured by an encryption method [sic]“, can we read in the emails received.
This means that the person or persons who stole the material might not read the data without the decryption key or without using more or less advanced computer calculation methods, as the cybersecurity researcher at the Polytechnique de Montréal explains. , Marc-Andre Leger.
“I can easily envision scenarios where someone might have stolen a computer, because we forgot to lock it. I understand that it might have happened, but I am not particularly worried regarding this situation, ”says the researcher, well aware of the technological issues of the health network.
The CISSS affirms that no user or partner was affected by the theft of so-called “non-personal” data.
This means that once deciphered, the data does not make it possible to identify a person directly, sums up Marc-André Léger.
“When we look at the response you got from the CISSS, we realize that the communications person who answered you probably had a lot of good will, but absolutely no idea what she was talking regarding. First, she says there is no personal data. Second, she says there was encrypted data. There is a contradiction for me, was there data or not? If the data were not important, if they were public for example, the side effects of a vaccine, there is no reason for it to be quantified”, specifies Marc-André Léger.
Clearly, if the data was encrypted, it was because it was important, and therefore, it was “most likely” nominative data allowing the identification of the vaccine or the health insurance number, depending on what advances the researcher.
The CISSS did not specify the nature of the stolen data and refused TVA Nouvelles’ request for an interview.
Confirming that no internal investigation has been conducted, a spokesperson for the institution wrote that the incident is currently in the hands of the Sûreté du Québec.
“I would be very inappropriate to criticize the skills of the Sûreté du Québec, they are extremely competent. The problem is more with the resources they have to allocate to these investigations,” says Marc-André Léger, who affirms that the SQ undoubtedly has “many other things to do” than to worry regarding. computer theft.
