Winnipeg police were called in after an external audit initiated by the hospital found irregularities. Police suggest the theft took place over a very long term and thus could add up to $2 million in losses from the hospital-owned ATM.

Thieves may have stolen a minimum of several hundred thousand dollars or as much as C$2 million (U.S. $1.9 million) from a nonbank-owned ATM deployed in the lobby of Misericordia Health Centre, said Constable Jason Michayshen of the Winnipeg Police Service.

“It is a large amount of money stolen from the ATM, and the theft is very significant and very concerning,” said Michayshen, who added that the thefts may have occurred over as many as 10 years.

This puts a nice perspective on the current skimming stories and threats to ATM that seem sophisticated by comparison; good old fashioned secure process and procedure for ATM deposits and withdrawals seem to be the problem. A lack of simple fraud monitoring and weak or no internal audits certainly did not help the situation.

Officials at Misericordia Health Centre must be taking a hard look at their audit and security management systems right now. I hope they have already initiated an extensive third-party review of patient files and confidentiality.

Unfortunate news for Buena Vista University in BusinessWeek:

A northwestern Iowa university has reported a data breach on campus records which could include Social Security numbers of students and staff dating back to 1987.

Although the period is long the University claims it could affect fewer than 100K people. The question is what student and staff records system would keep SSN records going back 23 years? Tape backup? Were staff still identified only by their SSN in the financial system? Even in cases where records for minors must be retained that gives a maximum of 21 years for retention.

ZiffDavis in the UK reports that Europe will soon have a data breach reporting law

A law forcing all organisations to publically declare data breaches is expected to be in place in the UK within four years.

According to lawyers at law firm Field Fisher Waterhouse (FFW), legislation requiring organisations to notify the relevant authorities as well as individuals affected in the event of a serious security breach involving personal data will be introduced across Europe.