API Configuration Issue with AFMC Student Portal

Learners
Category
News
Similar Posts
International Congress on Academic Medicine Shines Bright with Unprecedented Success
May 23, 2023
The vision for ICAM was to bring together all those engaged in academic medicine, clinicians and scientists, learners to leaders, for an opportunity to meet, network, share ideas and learn from one another.
CACMS starts to revise the Standards and Elements of accreditation
November 25, 2022

We would like to inform you about a recent incident involving the Application Programming Interface (API) configuration of the AFMC Student Portal. On June 1, 2023, it was discovered that there was an issue with the API that resulted in unauthorized access to learner information by a third-party entity. We take this matter seriously and want to address it promptly and transparently.

The incident occurred when Bureau de coopération interuniversitaire (BCI), which is a Government of Quebec Agency that provides services to schools in Quebec including the processing of visiting electives, reported errors with the API on May 25th. These errors were resolved by our vendor, In Place, on May 31st. However, on June 1st, BCI notified us that they were receiving student information for learners who had not applied to the school where the information was being extracted from via the API.

After investigating the issue, it was determined that the security protocols for the API were not functioning correctly, leading to this breach. We immediately raised an urgent ticket with our vendor to rectify the situation. We have confirmed that BCI was the only entity with access to the production API during this incident and that the issue has been resolved.

We want to assure you that protecting your personal information is of utmost importance to AFMC. We regret any inconvenience or concern this breach may have caused and want to emphasize our commitment to addressing the issue.

Actions taken to address the breach:

  • Resolution: Our portal vendor has resolved the issue and implemented the necessary configuration changes to ensure the security protocols are functioning properly.
  • Documentation Update: We have requested our vendor to update their documentation to provide detailed instructions on the API user account configuration process.
  • Verification Process: AFMC will conduct an additional API verification process after each new release of In Place to ensure the integrity of the system.
  • Certificate of Destruction: We will require BCI to provide a Certificate of Destruction to confirm the deletion of all copies of the data received during this breach.

Protecting your personal information and privacy is our priority, and we have learned from this incident to strengthen our processes and prevent similar occurrences in the future. We apologize for any inconvenience or distress this may have caused you.

If you have any questions or concerns about this breach, please do not hesitate to contact us at privacy@afmc.ca. We appreciate your understanding and cooperation in managing this incident.

Frequently Asked Questions (FAQs):

Q: What happened with the API configuration within the AFMC Student Portal?

A: The Student Portal contains the ability to use an industry standard Application Programming Interface (API) to pull information from the Portal to push to other applications used by schools in the coordination of electives. The portal vendor delivered an enhancement which included security protocols to ensure that users of the API would only see information for their school. On June 1, 2023, it was discovered that there was an issue with the API configuration, resulting in unauthorized access to learner information by a third-party entity, BCI. This breach affected learners who had not applied to Montreal, outside of Quebec.

Q: How was the breach identified?

A: BCI reported that their system was rejecting a high number of records.  When they investigated, they determined they were receiving (and rejecting) records for students who had not applied to Montreal. This triggered an investigation, and it was determined that the security protocols of the API were not functioning correctly, leading to the breach.

Q: Has the issue been resolved?

A: Yes, the issue has been resolved. Our vendor, In Place, identified and fixed the configuration settings that were not properly set at the region level. The breach has been addressed, and measures to prevent future configuration errors have been put in place.

Q: How does this breach impact the learners whose information was accessed by BCI?

A: We want to assure you that the impact of this breach is limited. BCI is a Government of Quebec Agency that provides services to schools in Quebec including the processing of visiting electives, and the issue was contained within their access. The unauthorized access was not made public, and BCI has confirmed that no learner records from outside Quebec were processed by their system. While we take any breach of personal information seriously, we want to emphasize that the breach was limited to BCI’s access and measures have been taken to address the issue and prevent future occurrences.

Q. Who is Bureau de coopération interuniversitaire (BCI)?

A: Under the auspices of the Medical Affairs Working Group (MEDU), BCI coordinates compliance with government policies on admission to university medical programs in Québec, both for undergraduate programs leading to an M.D. and for postgraduate programs. It also promotes dialogue and collaboration between the four faculties of medicine through the work of the Conference of Deans of the Faculties of Medicine (CDFM), the Conference of Executive Vice Deans (CVDEX), the Conference of Vice Deans of Postgraduate Education in the Faculties of Medicine (CVDFM), the Conference of Vice Deans of Undergraduate Education in the Faculties of Medicine (CVDPCFM), and the Provincial Interfaculty Committee on Admission in Medicine (CIQAM).