ADVERTISEMENT

Ottawa

'I am deeply troubled': Data breach impacts clients at Lanark County family services organization

Published: 

Privacy breach at Lanark Family and Child Services For the third time since 2015, there has been a privacy breach at Family and Children's Services of Lanark, Leeds and Grenville.

Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) once again finds itself dealing with a privacy breach.

  • Sign up now for our nightly CTV News Ottawa newsletter
  • The information you need to know, sent directly to you: Download the CTV News App

At least four people have been contacted by FCSLLG, informing them that they or a child in their care may have been impacted by a "data security incident."

CTV News has obtained a copy of one such letter, which was sent out on Jan. 26.

"Personal information relating to [redacted] may have been available to the unauthorized third party: full name, case type, kinship service(s), dates of kinship service(s) and Child Protection Identification Number (CPIN)," reads a portion of the notice.

"We want to assure you that we have no evidence that [redacted] personal information was accessed or used by the unauthorized third party. Furthermore, we are not aware of any misuse of personal information as a result of this incident."

This is not the first time the organization, which offers family services including adoption, foster care and parenting resources, has faced a security data breach.

In 2016, the names of 285 people who had been referred to FCSLLG were revealed on Facebook, after the organization’s website was hacked.

That led to legal action and in 2021, FCSLLG agreed to pay a $5 million settlement, plus additional money to cover the cost of legal proceedings of the settlement.

One of the individuals who was sent a notice by FCSLLG tells CTV News by email that they are upset that they never received a phone call or a physical letter informing them of the issue.

CTV News has agreed not to share that individual’s identity.

"As a concerned citizen and a parent, I am deeply troubled by this breach of trust. The Children's Services department is entrusted with the responsibility of protecting the welfare and rights of children and families, and a breach of this magnitude raises serious concerns about their ability to safeguard our sensitive information," read a portion of the email.

“I firmly believe that the violation of my rights through this security breach is not only a breach of confidentiality but also a breach of trust. It is essential to acknowledge that this incident has potentially exposed my personal information to unauthorized individuals, leaving me vulnerable to potential identity theft, fraud, or other harmful consequences."

It’s not clear who obtained the personal information of those impacted, or how it has been used.

"Family and Children’s Services of Lanark, Leeds and Grenville became aware that an unauthorized third party gained access to a single employee’s email account and subsequently accessed certain emails,” said FCSLLG's executive director, Erin Lee Marcotte.

"In response, we immediately engaged a team of third party cybersecurity experts to investigate the incident. The investigation has concluded and all potentially affected individuals have been notified, along with the Information and Privacy Commissioner of Ontario."

Technology analyst Carmi Levy tells CTV News theses types of incidents are becoming increasingly more common. However, it is rare for one organization to experience more than one breach in such a short period of time.

"This is eye-opening simply because of the frequency and the fact that is seems to be happening in fairly short order," said Levy.

"Personal information can be very damaging in the hands of a cyber criminal. They can use it on its own, or in combination with other data that has been leaked from other sources to launch identity attacks, to launch financial attacks, to launch ransomware attacks.”

There is no indication that any of those types of attacks have occurred in this latest case, but when talking about sensitive data involving vulnerable minors, there is an increased degree of stress.

"If you are one of these individuals, the first thing you want to do is look at all of your other digital accounts and lock those down," said Levy.

"Change your passwords, turn on all of the security features like two or multi-factor authentication and make sure that if someone does in fact use this information to come after you, you’re as best protected as you can possibly be."

Correction

A previous version of this article incorrectly said there was a data breach at the organization in 2015. The incident actually happened in 2016.