Cyber Incident Victim: Alberta Health Services

On August 22, 2019, Alberta Health Services (AHS) publicly disclosed a breach involving the personal health information of approximately 7,000 patients. The incident stemmed from a physician’s improper use of a private Gmail account to transmit sensitive patient data while working at the Richmond Road Diagnostic Centre in Calgary. Unauthorized individuals gained access to this personal email account, compromising protected health information that had been inappropriately shared through the unsecured channel. AHS confirmed the breach occurred due to this violation of organizational protocols prohibiting the use of personal email for transmitting confidential patient records. The health authority initiated an investigation upon discovering the compromise, though the exact timeline of the email account intrusion and duration of unauthorized access remained unspecified in public communications.

AHS formally notified all affected patients on the disclosure date, warning that exposed information could include names, personal health numbers, and details related to diagnostic tests or medical services received at the facility. The health service emphasized its internal systems remained secure, attributing the incident solely to the physician’s non-compliant use of external email. As part of its response, AHS implemented credit monitoring services for impacted individuals and established a dedicated call center to address patient inquiries. The organization reiterated its policy requiring healthcare providers to use only approved, secure communication channels for patient data. No evidence suggested broader systemic failures within AHS infrastructure, with containment efforts focused on securing the compromised account and reinforcing staff compliance with existing data handling policies.