While privacy experts worry proposed COVID-19 mobile contact tracing apps will reveal personal information of users, a northern Ontario health authority has admitted a privacy breach has happened the usual way: A website configuration mistake.
The North Bay Parry Sound District Health Unit said Thursday that results of coronavirus tests of 3,000 area residents were accidentally accessible for anyone with some computer knowledge to read on the Health Unit’s COIVD-19 data dashboard this week. The dashboard has information related to the number of COVID-19 tests and confirmed cases in the area.
The exposed data included first and last name, municipality, unique identifying number, testing date and location, and the test result of people tested before May 9th. It may also have included a telephone number. It did not include financial information, health card numbers or any other health information.
“We believe the likelihood that individual data was accessed is quite low,’ the health authority said in a notice on its website.
In a statement to IT World Canada the health unit said “personal information was accessible, though not openly displayed. We have fixed the problem and changed the way we upload data to be sure it doesn’t happen again.”
UPDATE: In a follow-up Alex McDermid, public relations specialist with the health unit, said it believes the chances that anyone else viewed individual personal health information are very low because doing so required a number of steps that were not obvious. These steps included “right-clicking” on one of the bar graphs on the dashboard and selecting one of four options from a dropdown menu. Nothing on the dashboard indicated that additional information could be seen by right-clicking on tables, charts and graphs. “We have not received any other complaints or any indication that anyone else accessed personal health information except for the person who informed us.”
Those affected are being notified by telephone or mail. The incident has also been reported to the appropriate authorities, including the Information and Privacy Commissioner of Ontario.
“Our team has been working around the clock to ensure our community is safe, cared for and has access to accurate and timely information as we collectively battle COVID-19,” Dr. Jim Chirico, the district’s medical officer of health said in a statement. “We also take very seriously our obligation to respect and maintain individual privacy. This mistake should not have happened, and I am very sorry it did.”
Upon learning of the breach from a member of the public the information was immediately removed website. The Health Unit has sent letters to all those who have been affected. The Health Unit has launched a thorough investigation into its privacy policies. “As well, we have put in place additional measures to ensure a similar breach does not happen again in the future,” the statement said.
The Health Unit provides services to over 120,000 residents within an area consisting of most of Nipissing District, and all of Parry Sound District. The area includes 31 municipalities, four unorganized areas, and nine First Nation reserves.
The incident angered former Ontario privacy commissioner Ann Cavoukian. “Such an unauthorized disclosure of sensitive personal information is completely unacceptable. Health information is the most sensitive personal information in existence. The availability of COVID- 19 test results on the Health Unit’s Dashboard is bad enough, but having these test results made accessible through a data breach is appalling.” Cavoukian is now the executive director of the Global Privacy & Security by Design Centre in Toronto.
In a statement the office of the Ontario Information and Privacy Commissioner said a breach of personal health information is a serious matter. “This sensitive information must be protected to maintain the confidence of Ontarians in our health care system, especially during a public health crisis. At this time, our office is not aware of any other incidents of public health units or other health care institutions in Ontario related to unauthorized disclosure of COVID-19 related personal health information.
“When investigating privacy breaches, we examine the causes of the breach, as well as the organization’s response to the incident. We look to establish whether the breach has been contained, the appropriate people notified, and whether corrective action has, or should be, taken to prevent any future breaches.