One of the country’s biggest health authorities has apologized to the community after an unencrypted SD card with personal health information of 18,000 clients was stolen last month.
The apology came in a statement from Emil Kolb, chairman of the Region of Peel, which includes the three municipalities immediately west of Toronto, Mississauga, Brampton and Caledon.
The region has a population of about 1.4 million people.
“We take our responsibility to protect personal health information very seriously,” Kolb said in the statement. “We did not do that and I apologize to all residents of Peel – but most importantly to those who were directly affected – for this breach.”
The card contained the name, address, birth date/age, marital status and assessment information of clients who were in the Peel Public Health department’s healthy babies and children program from March, 2010 to August, 2011, as well as a small number from earlier dates. There were no Social Insurance or Health Card numbers on the card, the statement said.
The loss comes after two serious losses of data last year on unencrypted USB sticks: In December, Human Resources Canada acknowledged that a staffer lost a memory stick with personal information on 5,000 Canadians, while in July Elections Ontairo.
Ontario privacy commissioner Ann Cavoukian, who was outraged at the Elections Ontario mess, was in New York and unavailable for an interview. But she issued a statement saying she is “very disappointed” at the Peel incident.
“Personal health information contains some of the most intimate details of a person’s life. My office has issued several orders which state that personal health information must not be retained on any type of mobile storage device (e.g., SD cards, laptops, memory sticks, PDAs) unless it is absolutely necessary and if it is necessary, that it must be encrypted.
“This breach was reported to our office and we are looking into the incident. I am astounded to learn that someone within Peel Public Health appears to have been using unencrypted mobile storage devices to store personal health information. I call on all Ontario health care organizations to review their practices immediately.”
SD cards are commonly used in digital cameras and smart phones. However most laptops made in the past two years have a slot for storage expansion.
The commissioner’s office noted that Ontario’s Personal Health Information Protection Act requires health information custodians to ensure data is protected against theft or loss as well as unauthorized use.
The office has issued several orders interpreting these provisions, including this 2007 fact sheet on encrypting personal health information on mobile devices, and this one on strong encryption.
“I want to reassure the public that this was an isolated incident,” Kolb said. “It is not standard or acceptable practice for us to put client information on unencrypted devices. As part of our investigation into this breach, we will be examining all of our privacy and protection protocols, and tightening controls on the information that has been entrusted to us.
End-of-support-devices: Time to Upgrade is Now
Sadly, it’s too often the case that something needs to ‘go boom’ with networking devices for organizations to realize there’s even a problem. But there are simple steps IT leaders before disaster strikes.