The London Police Service snooped on private medical information10,475 times between April and July.
It used a provincial database containing the personal health records of people who tested positive for COVID-19 at one of the highest rates in Ontario.
Law enforcement gained the power to access people's personal medical information when the database was shared by an emergency order of the Ontario government in April.
The order gave police officers the ability to access the names, dates of birth, and addresses of anyone in Ontario who tested positive for COVID-19.
A group of legal and civil liberties organizations challenged the directive on the grounds that police access to such data was a violation of individuals' constitutional rights to privacy and equality.
The power was revoked by the Ontario government on July 22.
Source: https://www.cbc.ca/news/canada/london/london-police-covid-database-1.5690787
TPRM report: https://www.rankiteo.com/company/londonpoliceservice
"id": "lon214418123",
"linkid": "londonpoliceservice",
"type": "Data Leak",
"date": "6/2017",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Law Enforcement',
'location': 'London, Ontario',
'name': 'London Police Service',
'type': 'Government'}],
'attack_vector': 'Unauthorized Access',
'data_breach': {'personally_identifiable_information': 'Names, Dates of '
'Birth, Addresses',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Personal Health Information'},
'date_detected': 'April 2020',
'date_resolved': 'July 22, 2020',
'description': 'The London Police Service accessed private medical '
'information 10,475 times between April and July using a '
'provincial database containing the personal health records of '
'people who tested positive for COVID-19. Law enforcement '
'gained this power through an emergency order by the Ontario '
'government in April, which was revoked on July 22.',
'impact': {'data_compromised': 'Personal Health Information',
'systems_affected': 'Provincial Database'},
'initial_access_broker': {'entry_point': 'Emergency Order',
'high_value_targets': 'COVID-19 Positive '
'Individuals'},
'investigation_status': 'Resolved',
'lessons_learned': 'Emergency orders granting access to sensitive data should '
'be carefully scrutinized and monitored.',
'motivation': 'Surveillance',
'post_incident_analysis': {'corrective_actions': 'Revocation of the emergency '
'order',
'root_causes': 'Lack of oversight on emergency '
'data access powers'},
'recommendations': 'Implement stricter controls and oversight for data access '
'granted through emergency orders.',
'regulatory_compliance': {'legal_actions': 'Challenged by Legal and Civil '
'Liberties Organizations',
'regulations_violated': 'Constitutional Rights to '
'Privacy and Equality'},
'threat_actor': 'London Police Service',
'title': 'London Police Service Unauthorized Access to COVID-19 Medical '
'Records',
'type': 'Data Breach',
'vulnerability_exploited': 'Legal Access via Emergency Order'}