The NWT’s privacy commissioner condemned the actions of a health authority manager as she suggested health documents allegedly found at Fort Simpson’s dump may in fact have been stolen.
Elaine Keenan Bengts’ report into how the documents ended up in the possession of resident Randal Sibbeston – who held on to them for weeks before showing them to a CBC reporter – was made public on Wednesday.
The report states document security in the community was lax at best, and finds the health authority responded inappropriately on discovering a privacy breach may have taken place. It calls for a full and urgent review of how documents are stored.
Keenan Bengts concludes there remains “the very real possibility that there are many more similar records sitting around in neglected storage areas throughout the Northwest Territories, ripe for a similar breach to occur.”
Records relating to 134 people were involved in the Fort Simpson breach, spanning the years 1988 to 2005. Most were from the 1990s and pertained to addictions treatment and counselling – including, in some cases, information about health and treatment history.
Sibbeston told the CBC he found the documents at Fort Simpson’s landfill in late 2018.
The report, however, suggests there may be merit to the suspicion voiced both by Fort Simpson residents and senior government officials that something else happened to the documents.
Keenan Bengts writes that what happened to the files before Sibbeston took them to local MLA Shane Thompson and the CBC is “impossible to determine.”
She states the documents could indeed have been found at the dump, as there had been a clean-out of a document storage room in the community in July 2018, five months before Sibbeston went public.
Some boxes from that clean-out were left in a boardroom and subsequently moved around when the boardroom was itself cleared out prior to conversion into office space. Other boxes from the storage facility were taken to the dump – but witnesses told investigators they were certain no files had been in the dumped boxes.
“It is also possible that A.B. simply took a box of files … when they were left in the porch or the foyer of the building during one of these two clean-outs,” Keenan Bengts writes, using the abbreviation “A.B.” to refer to the resident who found the files, identified by the CBC as Sibbeston.
“There is also a very real possibility that the files could have been taken directly from the storage cages [in the facility], using the keys in the unsecured key box to gain access to the unlocked storage room and the cages in the storage room.”
Keenan Bengts’ report portrays security at the document storage facility – in the basement of a Fort Simpson building – as “at best weak and, at worst, non-existent.”
Investigators turning up to establish what took place found the door to the storage area unlocked, several storage cages unlocked, and other instances in which the keys for storage cages could not be found.
The report characterizes A.B. as an unreliable witness.
“A.B. suggested that the one box handed over to the Information and Privacy Commissioner was only a sample of the ‘thousands’ of files he had actually retrieved,” Keenan Bengts writes. “That said, knowing that he could be prosecuted under the Health Information Act for failing to produce documents demanded by the Information and Privacy Commissioner, he later confirmed that he had handed over all records in his possession and had not copied any of them.”
A.B. declined to accompany investigators to the dump, Keenan Bengts writes, despite insisting more documents might be there.
The report states investigators could find no other documents at the dump, and any remaining records would have ended up being incinerated by December 2018.
Local management ‘did nothing’
However, the report’s greatest ire is reserved for the health authority, and in particular its chief operation officer (COO) for the Dehcho region.
That employee had trouble recalling when they had first been informed of the potential breach, Keenan Bengts writes, and had not set foot in the document storage area – despite holding responsibility for it.
“The COO took no steps to investigate the matter [once informed] and ensure that the records that were under his custody and control, including the ones in the cages, were secure and accounted for,” the report states.
“He also did not initiate a breach response under the policy or follow up with A.B. about the allegations.”
Keenan Bengts concludes that meant “it is clear [the health authority was] not in compliance” with the relevant legislation that guards health information.
She characterizes the health authority’s initial response as a “non-response” until the authority’s headquarters became aware of the situation after the CBC’s initial report. At that point, “immediate steps were taken” and “appropriate steps were taken to advise those affected by the breach.”
‘Consider prosecuting’ Sibbeston
But Keenan Bengts says little has been done since the breach to make sure documents are any more secure, either in Fort Simpson or elsewhere.
Few written policies and procedures were in place, she states, and security remained poor many months after the breach came to light.
“Leadership failed to take any steps to prevent another breach involving the records in storage in the basement,” the report states.
“Months later, when investigators arrived to gather information, they found the key box still located in an unmonitored public area, still unlocked. The door to the storage area was both unlocked and open.
“No apparent effort had been made to assess or organize the files remaining in the storage cages. I would have expected that head office would have taken immediate steps.”
Across the NWT, Keenan Bengts writes, “there are likely to be dated paper records that are being stored without being properly protected or archived in accordance with privacy protective principles and general best practices in records management.
“This is hugely concerning. This may well be an issue for other public bodies as well.”
Among a string of recommendations, Keenan Bengts urges the health authority to review how documents are stored, take immediate steps to put more safeguards in place, and give consideration “to prosecuting A.B. [Sibbeston] so as to send a clear message to the public that it is not appropriate to disclose found personal health information to the press or to the public, regardless of the circumstances.”
The health authority has been approached for comment.
Sibbeston, reached by email, did not directly address a question related to the recommendation that the territorial government consider prosecuting him.
“I know where there are thousands more files at the dump,” he reiterated.
“I was with other people when I found those files and no one even looked at the dump where I showed [CBC reporter] Hilary Bird where they were. I know because I know the guy working at the dump.”