An unencrypted laptop potentially containing the health information of more than 30,000 NWT residents was stolen in Ottawa last month.
The Department of Health and Social Services confirmed the theft in a news release on Thursday, 50 days after the incident took place on May 9.
According to the department, information on the laptop included the names of patients in the NWT, their health card numbers, dates of birth, details of their diseases or conditions, and their home communities.
“33,661 unique NWT residents may have been affected by this incident,” said deputy minister Bruce Cooper. Glen Abernethy, the health minister, offered an apology to residents.
The laptop, used by the department for data analysis, was stolen from a locked vehicle. There is no indication the data has since been accessed.
More than three-quarters of the territory’s population is believed to be affected. There is no way of knowing if your name is included in the data, the department said.
“We don’t believe any action is required by residents at this time,” said Cooper.
“If anyone feels they might be a victim of identity theft, they should report that to police. We monitor our health cards for unusual activity and a resident can request a new health card at any time, free of charge.”
Encryption ‘was missed’
The territory’s technology staff initially believed the device was encrypted, only realizing at the beginning of June that it was not.
“Although the device had strong password protection, the device was not encrypted,” the department said.
“The Government of the Northwest Territories’ Technology Services Centre (TSC) uses the latest software to
encrypt all TSC-supported devices. However, in this case, while the device was capable of encryption, the encryption process either failed or was missed and not detected by the TSC.”
This lack of encryption contravenes regulations relating to the NWT Health Information Act, which state data protection measures “must include … the use of authentication and encryption to protect information stored electronically.”
The department’s chief privacy officer has duly termed the laptop’s loss a privacy breach, given the data was unencrypted. The territory’s information and privacy commissioner has been notified.
“The Department of Health and Social Services has taken immediate steps to respond to the theft of the laptop and prevent any future breaches,” the statement continued.
Those measures include encrypting all of the department’s devices and additional training for staff.
“I would like to apologize to our residents,” said Minister Abernethy in a statement.
“We must ensure that we are taking all necessary steps to protect the private health information of our residents. I have directed our officials to ensure that patients’ personal health information is protected at all times.”
Information ‘not accessed’
“There were over 45,000 references to personal information of NWT residents,” said Cooper. “Their information may have been in one of the [laptop hard drive’s data] tables.
“The department is not aware that any of the information on the laptop has been accessed.”
Dr André Corriveau, the territory’s chief public health officer, said the data had been collected legally under the Public Health Act – including things like immunizations, cancer diagnoses, tuberculosis, sexually transmitted infections, and other infectious diseases that require follow-up.
“They are not complete data sets from medical records but selected fields,” said Dr Corriveau.
“This is part of our routine work. The individual was working with this data to produce tables and reporting as required.”
In an email on Thursday afternoon, a Department of Health spokesperson said the employee in possession of the laptop could not be faulted for the data breach.
“A comprehensive investigation was undertaken by our privacy staff,” said spokesperson Damien Healy.
“The preliminary investigation concluded the device was in secure compartment in a locked vehicle, it was protected by a strong password and the employee believed with reason the device was encrypted.
“The investigation concluded the custodian had met the expectation regarding protection of this device. Important to note that this was the result of a theft and not as a result of an act of commission or omission.”
‘Culture of privacy’
On May 17, more than a week after the laptop’s theft, health minister Abernethy wrote a letter to Yellowknife MLA Julie Green making no reference to the incident but reaffirming his department’s commitment “to promoting a culture of privacy across the Northwest Territories health and social services system.”
It’s not clear how much, if anything, Abernethy and the department knew of the theft and the laptop’s contents at the time.
The letter promised more privacy training for staff. Almost half of the territory’s health and social services employees, the letter stated, had not received any privacy training as of May this year.
This is the most significant health privacy breach in the Northwest Territories since November 2014, when a Yellowknife doctor misplaced a USB drive containing the personal medical data of more than 4,000 people.
The affected patients were informed and the drive turned up again a month later.