Almost four months after the incident, Albertans are just finding out that a laptop containing the health records of 620,000 residents of the province has gone missing.
The laptop, which belongs to an IT consultant working with Medicentres Canada, a group that operates family healthcare clinics in Edmonton, Calgary, London and Windsor, was reported stolen on September 26 last year.
Dr. Arif Bhimji, chief medical officer of Medicentres, said the laptop was stolen in Edmonton. The consultant had access to such a huge amount of information because he was working on a database used for submitting claims to the Alberta government, Bhimji told the CBC.
Bhimji said he wished they could have informed authorities sooner but said this was the first time Medicentres had to deal with such an incident and “it took longer than we would have liked.”
The device contained the names, dates of birth, provincial health card numbers, diagnostic codes and billing codes of persons attended to at Medicentres facilities in Alberta between May 2, 2011 and September 10, 2013, according to media reports.
Health Minister Fred Home said he learned about the theft only on Tuesday, when he got a letter from the vice-president of Medicentres.
Calling the theft “unacceptable in Alberta’s healthcare system,” Home also said he is “outraged” that the incident was not reported to him or his department sooner. Home said he has asked the privacy commission to investigate the incident and find out why health officials were informed of the theft sooner.
The incident could have been avoided if parties concerned were following proper privacy and data protection policies, according to Tony Busseri, CEO of Toronto-based security and ID management company Route 1 Inc.
The number one issue, he said, is that the Ministry of Health should have safeguards around its sharing of health records with other organizations such as private health centres. Next, Medicentres itself should have a policy that prevents employees and contractors from carrying sensitive information and patient data on their devices.
“There is no need for people to take data out of the network,” Busseri said. “We now have technology that allow regulate people’s access to data, allow them to work with it and manipulate it but prevents them from loading data into their devices.”
He also said mobile device management (MDM) tools can be effective but they are “not bullet proof.”
“If you don’t keep sensitive data in your device in the first place, you already minimize the risk of data theft,” he said.
The incident is just one in a long string of data breaches and digital records theft in Canada in the last few years, In October an unencrypted SD card containing the health records of 18,000 Ontarians was reported stolen. Much earlier a portable hard drive from Human Resources Canada (now called Employment and Social Development Canada) containing the personal records of 585,000 people was lost. A Justice Department employee also lost a USB key containing sensitive information on 5,000 individuals.
In a press statement, Medicentres said they were told of the incident on October 1, 2013.
The statement said police and the privacy commissioner were notified immediately. Edmonton police said they were informed of the theft on October 5.
“To date, Medicentres has no information to suggest that any of the personal information on the laptop has been accessed or misused,” the statement said. “Medicentres has already implemented a number of additional security measure and we are further auditing our security policies and procedures and implementing further measures to ensure that personal information is further safeguarded.”