While the COVID-19 virus is causing havok amongst most of the world, the social distancing and self isolation has given many, including myself, the ability to catch up on a few projects. This week I received a Report of Findings from the Office of the Privacy Commissioner of Canada, outlining thier findings with regards to my complaint, including:
Following the investigation, we have concluded that your complaint, that BIOS lacks adequate security safeguards to protect customer personal information, is well founded and conditionally resolved.
After 28 months (yeah, almost 2 1/2 years) this saga has finally come to a close for something as simple as failing to design and use a proper API to secure customer's medical information. For more detailed information on the issue that have been found with BIOS Medical's Blood pressure monitoring software see the following articles.BIOS Medical / Thermor LLC - Vulnerability Report - Blood Pressure and Digital Temperature
BIOS Medical / Thermor LLC - Update - Strike 2 - Customers data still being exposed
Some highlights from the Reporting of Findings are:
The Complainant communicated his observations to the Respondent and expected changes to be made
to improve the Respondent’s safeguards related to the devices. Despite numerous exchanges and
follow-ups with the Respondent, the Complainant remained unsatisfied with the responses he
received, in particular observing that while the vulnerabilities associated with the Thermometer
appeared to have been resolved, the issues with the BP Monitor persisted. As a result, he filed a
complaint with our Office.
We found that the Respondent’s [ BIOS Medical ] safeguards were inadequate in many respects, which was particularly
concerning given the volume and sensitivity of the information at risk.
We note that the App collected a large volume of personal information, including emails and
associated passwords, which could potentially be used to access users’ other accounts for which the
same email and password had been used. The App also processed users’ medical information. This
constitutes highly sensitive personal information requiring a high level of protection.
BIOS claimed that the development of the BP Monitor and associated app had been outsourced to a
Chinese firm, which had not built in adequate safeguards.
However, regardless of who developed the products for BIOS, BIOS was still required to ensure
adequate safeguards for the personal information it collected, used and disclosed via that technology.
Via our own testing, we identified several further security vulnerabilities, in addition to those
identified by the Complainant, including the following:
a. The Respondent’s server could be accessed without authentication, such as user ID and
password, which rendered the servers vulnerable to unauthorized access via a “brute force”
attack (i.e,. an automated iterative approach to guessing values that would allow access).
b. There was no intrusion detection system in place, such that BIOS was not able to detect
suspicious activities, such as repeated attempts to contact their servers.
c. Access to their server and other infrastructure were exposed on the internet and susceptible to
known vulnerabilities. During the course of our investigation, in response to concerns raised
by our Office, BIOS implemented a firewall that still did not adequately protect the app
server from unauthorized access.
d. Security risk assessments were not being regularly conducted to evaluate the risks posed by
technological developments or new threats.
Accordingly, we find the complaint to be well-founded and conditionally resolved.
And last but not least, and important tidbit with regards to some continutung remedy if I so choose to pursue.
Now that you have our report, we wish to inform you that, pursuant to section 14 of the Act, you
have the legal right to apply to the Federal Court of Canada (the “Court”) to pursue this matter further.
Should you wish to proceed to Court, we suggest you contact the Court office nearest you.
Normally, an application must be made within one year of the date of this letter. If you file your
application with the Federal Court, you must serve the Privacy Commissioner of Canada with a copy of
the application within 10 days, pursuant to paragraph 304(1)(c) of the Federal Courts Rules.
I guess I'll have some reading to do of section 14 & 15 of PIPEDA
link to document
Report of Findings
link to document