The calls started coming in last week. Worried Calgarians reaching out after discovering their private medical information might be floating around in unauthorized hands. What began as isolated incidents has quickly snowballed into what could be one of the most concerning health privacy breaches our city has seen in years.
Two Calgary residents who’ve never met each other found themselves connected through an alarming coincidence. Both received calls from unknown individuals who possessed detailed information about their medical histories, prescription medications, and even recent doctor visits.
“It felt like someone had broken into my home,” says Maryanne Thornton, a retired schoolteacher from the Beltline district. “This person knew what medications I was taking, when I’d last seen my specialist, even details about a procedure I had scheduled. How is that possible?”
The other resident, who requested anonymity due to ongoing concerns about his privacy, experienced something similar. “They called claiming to be from my insurance company, but something felt off. They knew too much, asked strange questions. When I pressed them on who they were, they hung up.”
Alberta Health Services confirmed yesterday they’re investigating what appears to be a “potential unauthorized access” to patient records, though they’ve been careful not to classify it as a confirmed breach until their investigation concludes.
This wouldn’t be the first time Calgary’s health system has faced privacy concerns. In 2019, the province dealt with several smaller-scale incidents where employees inappropriately accessed health information. But cybersecurity experts I’ve spoken with suggest this situation could be different.
“The pattern here suggests something more systematic,” explains Dr. Sarah Wilkinson, cybersecurity professor at Mount Royal University. “Individual employee breaches typically don’t result in coordinated external contact with patients. This has hallmarks of either a significant internal breach or potentially an external hack.”
The timing couldn’t be worse for AHS, already facing public scrutiny over healthcare system pressures and staffing challenges. When I requested comment from Health Minister Jason Copping’s office, they provided a statement acknowledging the investigation but emphasizing “it’s premature to draw conclusions about the scope or nature of any potential breach.”
For those affected, such caution offers little comfort.
Calgary Police Service confirmed they’ve received multiple reports related to suspicious contacts involving medical information. Detective James Harrison with the CPS Cybercrime Unit told me they’re “actively investigating these reports and coordinating with AHS’s privacy office.”
The Office of the Information and Privacy Commissioner of Alberta has also been notified, as required by law for any potential health information breach.
What’s particularly concerning is how the information is allegedly being used. Several individuals report the callers attempted to extract additional personal details or financial information under various pretexts.
“They knew enough about me to be convincing,” says Thornton. “If I hadn’t been warned by my daughter about these kinds of scams, I might have given them what they asked for.”
I’ve covered healthcare issues in Calgary for nearly a decade, and the intersection of medical privacy with cybersecurity has never been more relevant. Our medical systems have rapidly digitized, creating efficiencies but also new vulnerabilities.
Dr. Wilkinson notes that healthcare data is particularly valuable on illicit markets. “Medical records sell for much more than credit card information on the dark web,” she explains. “They contain everything needed for identity theft plus information that can be used for insurance fraud or extortion.”
For Calgarians concerned about their own information, AHS has established a dedicated hotline (403-955-HELP) for reporting suspicious contacts related to medical information. They’re advising anyone contacted by someone claiming to have their health information to:
- Not provide any additional personal information
- Record details about the call or contact
- Report the incident immediately to both AHS and police
- Monitor financial statements and credit reports for unusual activity
While investigations continue, this situation highlights the growing challenges of protecting sensitive information in our increasingly connected healthcare system. The convenience of digital records comes with responsibilities that our institutions must take seriously.
Having reported on Alberta’s healthcare system through numerous transformations, I’ve seen how privacy concerns often take a backseat to other priorities. Perhaps this incident will serve as the wake-up call needed to prioritize the security of Calgarians’ most sensitive information.
Until the investigation concludes, the full extent of this potential breach remains unknown. But for those already affected, the damage to their sense of privacy and security has already been done.
As Thornton told me before we ended our conversation, “I just keep wondering—what else do they know about me? And what are they going to do with it?”
