As a report into one of the NWT’s biggest-ever health privacy breaches is made public, the territory’s outgoing health minister insists “attitudes have changed significantly.”
Privacy commissioner Elaine Keenan Bengts’ full report is dated May 27 but was only uploaded to the commissioner’s website at the end of August.
The report sets out, step by step, how a laptop containing records relating to more than 30,000 NWT residents came to be stolen from a vehicle in Ottawa during the spring of 2018.
Keenan Bengts accuses the NWT government of failing to learn some key lessons from the breach and continuing to follow questionable practices a year after the theft took place. A health department spokesperson contested that assertion.
The report makes 14 recommendations. The Department of Health and Social Services told Cabin Radio it is following every one of them and has already taken six major steps to address issues identified by Keenan Bengts.
Glen Abernethy, speaking in a personal capacity as he steps down as health minister, said the NWT’s Health Information Act – introduced in 2015 – was doing its job by keeping the department accountable when breaches occur, and helping staff to learn from them.
“We haven’t had the same breach occur more than once,” said Abernethy. “If you look at some of the things that have happened, there are new and creative ways of having mistakes made.
“We’re dealing with human beings and human beings are going to make mistakes. The trick is to learn from those situations and make sure that we don’t have duplicate situations.
“The next Minister of Health and Social Services, regardless of who he or she is, they are going to have to keep pushing and make sure this stays a priority.”
The NWT government is expected to shortly face the equivalent of a class-action lawsuit related to a series of recent health privacy breaches.
Abernethy is not contesting his Great Slave seat in next week’s territorial election after a six-year tenure at the department and 12 years as an MLA.
Keenan Bengts’ 46-page report into the May 2018 laptop theft describes how an employee on duty travel left the computer inside a rented minivan while they went for dinner at the ByWard Market with a friend.
Though the employee outlined a number of steps taken to park in a well-lit and secure parking lot, later that night they discovered the laptop had been taken.
“The employee immediately notified the department’s privacy unit, returned to the parking garage, and spent three hours going through dumpsters, flagging down security guards and revisiting the scene, all to no avail,” Keenan Bengts writes. “He also reported the theft to the Ottawa police.”
The staff member even visited local pawn shops and “monitored Kijiji” in an attempt to get the laptop back over the following days. It did not turn up. Police closed the file in late June 2018.
Though deputy minister Bruce Cooper said at the time that “33,661 unique NWT residents may have been affected by this incident,” the report states nobody actually knows for sure which files were on the laptop and how many people’s records were involved.
The employee using the laptop worked in Population Health, which tracks and analyzes health data. The employee had not kept a log of which files were on the machine, but the privacy commissioner was provided with a best-guess list of 11 different spreadsheets.
Those spreadsheets related to a number of things, among them:
- information about TB cases and contacts (potentially involving the records of just under 29,000 people); and
- flu and HPV vaccine records (around 21,000 people).
If all 11 data sets were on the laptop – and nobody knows for sure – then, according to the report, the hard drive would have contained “the personal information and/or the personal health information of a total of 40,045 unique individuals, of which 39,145 were from the Northwest Territories, 257 were from other provinces/territories, and 634 could not be identified because of errors or missing identifiers at the original source.”
Virtually all of the records have at least two of a person’s name, date of birth, and healthcare number.
The employee used the laptop to evaluate health data over periods of time to spot trends. As they regularly travelled, they downloaded some data to keep working while on the move.
Owing to an apparent error by the NWT government’s technology staff, the employee’s laptop was not encrypted (though it was password-protected) – a fact only uncovered later and apparently a surprise to both the department and the employee, who had believed the machine to be encrypted.
However, both the privacy commissioner and the department say there is no evidence any data on the machine has ever been accessed or used maliciously since the theft.
Some lessons not learned?
While the report says the department quite closely followed its privacy breach policy once the laptop had been stolen, Keenan Bengts said the NWT government’s own, internal report into the breach “largely ameliorated the actions and failings of employees.”
“I am unable to accept these findings,” she wrote, adding a “combination of steps and missteps, actions and failures” set up the conditions for the breach to occur.
Elaine Keenan Bengts appears before a committee at the NWT legislature on January 15, 2019.
Keenan Bengts took a dim view of some government attitudes to the incident, particularly the chief health privacy officer’s contention that the theft wouldn’t have amounted to a reportable breach had the laptop been encrypted.
In a scathing section of the report, Keenan Bengts wrote: “This was a major incident involving the personal health information of nearly every resident in the Northwest Territories. While I understand that it was uncomfortable to have to advise the public about it, this is an instance in which the public absolutely had the right to know that the theft had occurred and as quickly as possible after the theft occurred.
“The chief health privacy officer should be the one advocating for clients’ privacy rights and departmental accountability, not trying to find ways to hide the mistakes made.”
Other issues ranged from the employee’s failure to delete old data from the laptop through to a concern that Population Health “does not seem to have learned many lessons” since the breach, in terms of how it handles data.
“The division continues to download personal health information onto mobile devices (albeit now to encrypted devices) notwithstanding the breach and the tremendously negative public reaction to the breach,” Keenan Bengts wrote.
Umesh Sutendra, a Department of Health and Social Services spokesperson, said the department had put in place strict measures to ensure health data was only downloaded to portable devices in “specific circumstances.”
Sutendra told Cabin Radio the department had instructed Population Health staff to “cease storing personal health information on portable devices and use only approved, secure servers to access this type of data.”
Sutendra wrote: “In specific circumstances where no network access is available during field work, collection and use of personal health information on a mobile device is restricted to a specific period of time with vigilant logging requirements.”
Are things changing for the better?
Keenan Bengts’ 14 recommendations include the full encryption of all mobile devices associated with the department, a detailed policy governing the downloading of health information to those devices, and a thorough privacy audit of the Population Health team by an independent expert.
“The department has accepted the commissioner’s recommendations and is integrating them into its practice going forward,” said Sutendra.
All unencrypted laptops have been taken out of use, Sutendra wrote, while privacy training has been stepped up.
Asked by Cabin Radio how far the NWT has still to go in terms of health information privacy, outgoing minister Abernethy acknowledged the laptop theft was “a big problem.”
“What matters is a computer with data on it in our care and control was stolen. And had somebody had the intent or understood what was on there, we could have had a situation where somebody could have actually opened it,” he said.
“There’s no indication that the system was ever turned on or engaged. But it doesn’t matter. It was no longer in our care and possession. It’s a big problem.”
Abernethy said he had expected serious problems when initially pursuing the introduction of the Health Information Act, which governs how such information is handled – and makes reporting mandatory when there is a breach.
“Since we put in the Health Information Act, clearly, there’s a problem. And it means not everybody was respecting the privacy of our residents and their data as they should. I think the attitude has changed significantly in the last couple of years,” he said.
“It’s making people reconsider how they use the data and how they keep that data in their possession.”
The privacy commissioner’s report into a separate breach from late 2018, in which a Fort Simpson resident claimed to have found discarded health documents at the village dump, has yet to be made public.
When asked about that incident, Abernethy appeared to suggest a belief that all was not as it may have appeared.
Saying the files were only “allegedly” uncovered by chance at the dump, Abernethy added: “The privacy commissioner is still reviewing that situation, and I look forward to hearing her findings and her recommendations. It’ll be interesting what those say.”
Beyond privacy, a lack of patient faith
Meanwhile, at a gathering in Yellowknife on Sunday, a leading NWT doctor said issues with the use of health information go beyond concerns about privacy and stretch across the whole of Canada.
Dr Ewan Affleck, a physician in Yellowknife since 2001, said concerns were well-founded that, nationwide, “the health industry does not manage health information safely.” Affleck argued no institution had yet taken responsibility for the effective design or planning of how such information should be used.
“There are Canadians running all over this country trying to collect their information because they are scared. And they don’t, frankly, have faith,” said Affleck, speaking at an event hosted by the NWT Wellness Society and Northern Conversations entitled “Falling Through The Cracks.”
“It really doesn’t make sense that the owner has to be scared about something they own,” said Affleck.
“To be candid with you, I would suggest we have to re-imagine the entire thing. I would suggest that possibly a class-action lawsuit is in order, where we begin saying, as owners of information, we demand that we have it. Because it is damaging us not to have it.”
Residents who attended Sunday’s presentations heard from several people who had to fight the healthcare system, in various ways, for access to the correct information – and for that information to be properly shared between facilities.
“It seems to be a threat to people to re-imagine healthcare as being about the patient. It shouldn’t be a threat,” said Affleck.
“I think it’s a threat to some professionals, health authorities, and governments at times. In fact, I think it would be cheaper and make everyone happier and work better.
“I’m not sure what’s stopping us from re-imagining that.”