Breach Notification , HIPAA/HITECH , Incident & Breach Response

International Student Health Insurer Breached

Incident at Canadian Firm Spotlights Complex Notification Issues
International Student Health Insurer Breached International Insurance has posted a notice for visitors to its website about its recent data security incident.

A data security incident involving a Canada-based insurer that provides comprehensive health coverage to students studying abroad shines a light on complex international regulatory issues companies can face in the wake of a data breach.

See Also: Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level International Insurance, which calls itself one the world's largest insurance providers in international education, says in a notice posted on its website that it has taken down the site's functionality "in an abundance of caution" after detecting recent suspicious activity directed at its website.

"Our information systems and IT teams are reviewing measures to ensure the site has enhanced security in order to return the site to full service as quickly as possible," the notice says. did not immediately respond to Information Security Media Group's requests for additional information about the incident.

News site Bleeping Computer reported on Monday that a breach notification letter being sent to affected students says that the company's IT team discovered "unusual activity" on its website May 12.

"The vulnerability has been addressed. Our experts are diligently investigating the matter further," the notification states, according to Bleeping Computer.

The vulnerability allowed an intruder to access students' dates of birth, genders and encrypted passwords. For some students, email addresses, mailing addresses and phone numbers were also exposed, according to the breach notification letter. also notes in the letter that it is implementing new policies for increased security, including database segmentation and two-factor authentication.

Regulatory Patchwork

On its LinkedIn page, notes that is has offices worldwide, including in North America, Australia, Europe, the Middle East, Africa and Latin America. Recently, launched "the industry’s first and only mental health support program for international students," the company says.

Some regulatory attorneys say faces a complicated patchwork of international and local breach reporting and notification mandates.

"The most important point to make about this type of breach incident, which even many attorneys and compliance personnel don’t realize, is that the location where any particular 'data subject' or individual affected by a breach incident resides is key to the analysis of data privacy and security requirements outside of U.S. federal laws, like HIPAA, Family Educational Rights and Privacy Act, and the Privacy Act," says privacy attorney Iliana Peters of the law firm Polsinelli.

An organization experiencing a data breach may have many obligations to many different countries, as well as states or territories within countries, if it holds the data of their residents, she notes.

"As such, it is crucial that entities understand what data they hold for what individuals, including where those individuals live, before a security incident occurs, so that those entities can develop and implement the correct policies and procedures to comply with the applicable state, federal, territorial and international legal requirements."

Careful Assessment Needed

Regulatory attorney Nancy Perkins of the law firm Arnold & Porter, stressed that will need to look at a number of issues, including the country in which each affected student resided when they provided personal data to

The company will need to comply with the breach notification rules in each applicable country, state or territory, she adds. That likely includes breach notification requirements at the federal level in Canada and in any Canadian province and the breach notification laws in U.S. states in which students reside.

It's also very likely that the EU's General Data Protection Regulation will apply, Perkins says. That's because apparently offers its insurance coverage to individuals in Europe, and the GDPR applies to entities outside the European Union that “offer goods or services” to individuals in the European Economic Area and collect their personal data, she notes.

"If no personal data was collected about those individuals except when they were outside the EEA, the GDPR would not apply because nationality is not the hook for GDPR jurisdiction," Perkins says.

In the U.S., HIPAA would not likely apply to the incident, she notes.

"Even though the HIPAA statute and regulations do not expressly address extraterritorial scope and thus potentially could apply to a Canadian health insurance provider, the likelihood that the Department of Health and Human Services would devote its enforcement efforts against a Canadian company seems very low, given that there would be significant jurisdictional obstacles to overcome as a practical enforcement matter," she says.

"Canadian privacy laws likely would apply because is required under those laws to protect the personal data of all individuals, regardless of citizenship, that it processes."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.