When the B.C. government auctioned off data storage tapes thatcontained details of the medical status of thousands of people,including whether they are HIV-positive, mentally ill or consideredfit for work, they really stepped in it. But, sadly, it could havehappened anywhere.
“When you have a government body suffer a data breach like that,it is disturbing to say the least,” said Ross Armstrong, seniorresearch analyst at Info-Tech Research Group of London, Ont.”Unfortunately, it is not an uncommon occurrence.”
Any health care organization, whether a clinic or a hospital,first and foremost has a duty to protect patient information,according to Armstrong. It is a concept that has existed fordecades, long before the advent of the computers in theworkplace.
In B.C., the Vancouver Sun reported that the tape containing thesensitive information was among a set of 41 high-capacity datatapes that were sold for $101 at a B.C. government public auctionin Surrey in July 2005.
“It’s a crazy situation, and it’s made all the more crazy by thesheer fact of who the perpetrator is here – it’s the government,”Armstrong said. “Digitizing and making protected health informationmore portable means that obligation becomes that much morerelevant.”
Both federal and provincial data privacy laws could have beenbreached, he said.
The Sun noted that the unauthorized disclosure of privateinformation is an offence under the Provincial Freedom ofInformation and Privacy Act.
And in short order the B.C. Minister of Labour and Citizens’Services, Michael de Jong, admitted that there had been a”screw-up.” De Jong, whose ministry oversees the auction process,told the legislature that B.C. has a comprehensive set ofguidelines in place to govern how digital material is supposed tobe secured and disposed of.
“My guess on how it happened, based on my experience andspeaking with IT professionals, is that policy, a standard set ofprocedures that IT workers or whoever is in charge of data handlingmust follow when it comes time to reallocate resources, was justnot followed,” Armstrong said.
An organization’s guidelines for performing a certain taskshould be repeatable and the same for everybody, according toArmstrong. “Obviously, policy was not followed in this case.”
“Any organization following data privacy best practices ingeneral would have some kind of data sanitization policy, orhardware sanitization policy, in place so the appropriateindividual signs off on it,” he said.
It is a real problem because it is the government that sets thestandard for adhering to laws and it is also government thatenforces the laws, according to Armstrong.
“The problem with health information is that very often thepatient files will contain name, date of birth and social insurancenumber of a patient,” Armstrong said. “The patient’s actual medicalcondition notwithstanding, if that information becomes knownsomehow it’s embarrassing and it’s a violation of patientconfidentiality.”
With respect to the first three pieces of information – name,DOB and SIN —those are all that an identity thief needs to get acredit card in somebody else’s name and that causes problems forthe financial industry as well, he said.
“I don’t get the feeling that in this case the intent wasmalicious in any way. Somebody zigged when they should havezagged.”
IT equipment resale is a fairly common practice fororganizations across all industries, whether it’s private orpublic, health care or public administration, according toArmstong. “Everyone is so concerned about costs that they willthrow anything on eBay or for auction to reclaim a couple of bucksfrom it.
“IT budgets are usually pretty squeezed as it is. In the case ofIT (departments) they are tasked to do more with less. It is alwaysbeing demanded of them and it is one of the ways an IT manager,desperate to reclaim some of that budget money, can recoupcosts.”
The bottom line is that the onus is on whoever is holdingsensitive health care data, whether a health care organization orsome other agency, according to Armstrong.
“If they cannot adequately ensure and guarantee these types ofmedia are being properly sanitized, then they should be destroyingthem.” 061175