Encrypting data isn’t cheap, nor is it necessarily easy. However, as the case of a laptop stolen in Ottawa last year shows, the damage to people can be high.
The laptop belonged to an employee of the Northwest Territories’ department of health and social services, in the national capital last May on a business trip. It was in a backpack in a minivan without a trunk that was broken into. The laptop was used to do statistical analysis on thousands of health records –almost everyone in the N.W.T — had a strong login password.
But as CBC News revealed this week after getting 350 pages of government documents and emails in an access to information search, if that password was cracked someone could get at more information than the N.W.T initially acknowledged.
First, the documents suggest the laptop contained health data from as far back as 2009. Second, after going over information the NWT realized that just over 39,145 residents could be affected by the breach, up from the 33,661 that was publicly reported. Counting 257 non-residents from other provinces and unidentified individuals, the total number of people potentially affected would be over 40,000.
And third, while about 47 per cent of N.W.T residents whose information was contained in the stolen datasets are thought to be at no risk of loss of identity theft because they were only identified by their health card numbers, the remaining 53 per cent could be at risk because their names, dates of birth and/or health-card numbers were stored on the laptop.
Some of the health data could be very sensitive. More than 50 per cent of all the records for N.W.T residents were in a tuberculosis surveillance dataset. Thousands of other records were related to HPV vaccinations, C. difficile (colon infections), pap smears, whooping cough, blood tests for tuberculosis, sexually transmitted infections and antibiotic-resistant diseases, among others.
Other information potentially on the laptop included: ethnicity, X-ray results, history of sexual partners, dates of death and “risk status.”
One problem is the N.W.T. has to rely on the memory of the employee about what data was on the laptop.
Ottawa police did not formally investigate the theft, according to internal emails, because was no video footage available from the area where the car was parked. Police assume the laptop storage was wiped and the device sold.
In a follow-up story today the CBC says it learned the employee responsible for the laptop had received training on how to securely handle portable devices just two weeks before the theft. The story doesn’t say whether encryption was part of the training.
The health and social services department told CBC that since the theft it created an action plan that includes mandatory “advanced privacy training” for staff across the territory, creating guidance documents on how to handle sensitive information on portable devices, creating online training modules for health information custodians and appointing a “privacy contact person” in all 13 divisions in the department to ensure new staff get ongoing training.