Alberta College of Paramedics privacy breach put information of thousands of members at risk

A breach in the Alberta College of Paramedics navigation portal may have put the personal information of thousands of first responders in the province at risk.

ACP is a regulatory college that governs and regulates the province's emergency medical responders, emergency medical technicians, and emergency medical technologists.

The regulatory college said in a release that there was a security breach and they have "contained the access." The cause for the breach is reported to have been a software update to the regulatory college's employee portal.

The compromise happened from 7:30 p.m. on Sept. 23 until 11:30 a.m. the next day. ACP said during the breach people with a login could "log into the system and view another practitioner's information in our database."

Furthermore, it was possible for someone not registered with ACP to create a username and password and view the information. ACP said that, according to their records, five people did this during the period of the breach.

ACP are investigating the breach and said they will be notifying the Alberta's privacy commissioner on Monday morning.

'It's not acceptable'

Roberta Sanchez, an emergency medical responder registered with the ACP, said that she found out about the breach Saturday morning on a Facebook page for paramedics that work in the oil field and decided to see for herself.

"I went on there and logged in and it took me to a third-party site, which wasn't our regular navigation portal through the college. I was able to see all my personal information," said Sanchez.

"Any member at that time could go in and just put my name in and look me up under member directory and all my information was there."

Sanchez said this personal information included her full name, her phone number, her mailing address and her email address. It also included how many time she registered for the college and how she paid for that.

"All of that information was accessible to any member that did a search on a members directory. This I didn't think was in my, or anybody else's, best interest.

"That's just not right."

People in the portal at that time could also see education and provincial exam records, the user's registration numbers and financial records, including receipts and the last four digits of credit card numbers.

Sanchez said that in order to work in the province an EMR, EMT or EMT- P must be registered with the college and would thereby be searchable in their membership directory. She estimates the number to be near 10,000 people.

While Sanchez feels she will be fine, she worries about others, especially those who may know it happened.

"I'm upset about this. I don't think they understand the ramifications of this. There are some people out there and from their past, they don't need people knowing what their address is," she said, "This is a big breach of confidentiality. If this happened with a patient it would not be acceptable.

"These are members of [ACP]. It's not acceptable."