Breach Among Largest Ever in CanadaStolen Laptop Affects Thousands of Patients
Health data breaches involving unencrypted devices aren't just an American problem. The recent theft of an unencrypted laptop from an IT consultant working for Medicentre Family Health Care Clinics in Edmonton has resulted in what is believed to be one of the largest health data breaches ever reported in Canada.
Medicentres, which operates 27 clinics in four Canadian cities, this week disclosed the Sept. 26, 2013, incident, which may have affected as many as 620,000 patients.
The healthcare provider reported the incident to local police and the Office of the Information and Privacy Commissioner of Alberta on Oct. 1, 2013, Arif Bhimji, M.D., Medicentres' chief medical officer, tells Information Security Media Group.
The organization waited four months to contact the province's Ministry of Health and only began notifying affected patients this week because it had been busy "reviewing policies and procedures" in the wake of the incident, Bhimji says. That included assessing the data that was contained on the stolen laptop; conducting security risk and administrative audits; implementing corrective actions, such as encrypting for all portable computing devices; and setting up a call center to assist affected patients, he says. Many of those activities occurred during the holiday season when many workers are off, so that also stretched out the time taken to complete the tasks, he adds.
The patient data contained on the stolen laptop included names, dates of birth, and health information numbers, but not full medical records, Bhimji says. The information breached was likely insufficient to result in identity theft for patients because it did not include social insurance numbers, he contends. But Medicentres has suggested that patients affected by the breach monitor their credit card statements for unusual activity, although the clinics operator is not offering free third-party credit monitoring, he says.
So far, there is no evidence that the data has been inappropriately accessed or used, Bhimji adds.
The IT consultant whose laptop was stolen is an employee of an IT consulting firm used by Medicentre, but that consultant is no longer working with the clinics, says Bhimji, who declined to name the firm. The consultant had been building applications "for day-to-day operations and for sending information to the Ministry of Health," he says.
Unlike the U.S., which has the HIPAA breach notification rule, Canada does not have a federal health data breach notification requirement. But the Canadian provinces have their own rules, including some that mandate notification. Under Alberta's Health Information Act, which was enacted in 2001, the reporting of health data breaches is voluntary, privacy experts say.
While Medicentres notified authorities right after the incident, the provider wasn't required to do so, Bhimji acknowledges.
Privacy attorney David Fraser, a partner in the Halifax, Nova Scotia office of law firm McInnes Cooper, notes: "In Canada, health privacy is mostly within provincial jurisdiction, so we don't have a comprehensive federal law with a consistent approach. The Health Information Act of Alberta is a relatively old statute, which pre-dates the more recent trend toward requiring notification in the event of data breaches. The more modern provincial statutes, such as the Personal Health Information Protection Act of Ontario, have strict notification requirements."
Canadian privacy laws are also mostly non-prescriptive regarding how data is protected, Fraser says. "Our laws tend to be technology neutral, imposing reasonable safeguards in light of the sensitivity of the personal information at issue," he says. "[While] none of our statutes say 'thou shalt encrypt', it is really a no-brainer - and a policy requirement in some jurisdictions - that any personal health information on a laptop computer or other mobile storage device be encrypted."
But Fraser points out: "It's also worth asking whether it is ever a good idea to give a contractor 620,000 records on a mobile device under any circumstances." And he notes that the Medicentres incident is believed to be one of the largest health data breaches ever reported in Canada.
While Alberta's Health Information Act doesn't require health data breach notification, it suggests breaches be reported as a matter of good policy.
"Reporting a breach is not mandatory under the HIA," says a statement on the Office of the Information and Privacy Commissioner of Alberta's website. "Even so, reporting a breach to the OIPC is a good practice for the following reasons:
- A decision to notify the OIPC is viewed as a positive action by the public. It tells your patients and the public that you view the protection of health information as an important and serious matter. This may enhance patient/public confidence.
- The OIPC can provide advice or guidance in responding to the incident.
- It will assist the OIPC in responding to inquiries made by the public and managing any complaints that may be received as a result of the breach."
An OIPC spokesperson would not comment on the Medicentres breach. Some 57 breaches were reported under the Health Information Act in 2012 and 2013, the spokesperson says.
However, in a Jan. 23 statement, OIPC said its information and privacy commissioner Jill Clayton has decided to launch an investigation into Medicentres privacy breach, "as well as a broader review of the way privacy breaches are reported in the health sector in this province.
"This incident raises concerns about how privacy breaches are reported generally," Clayton says in the statement.
Under its Personal Information Protection Act, Alberta has a requirement to report to the OIPC "incidents that result in a real risk of significant harm to individuals."
At the federal level, the Personal Information Protection and Electronic Documents Act "applies to organizations handling personal information in the course of commercial activities, and it does not have mandatory breach notification," says a spokesman for the Office of the Privacy Commissioner of Canada. "Some provinces also have privacy laws dealing with commercial activity. ... Generally speaking, if they are deemed to provide substantially similar protection they apply within the province rather than PIPEDA - as is the case in Alberta, British Columbia and Quebec."
Also, "most provinces have passed laws protecting health information, and some of these, for example, Newfoundland and Labrador, Ontario and New Brunswick, include mandatory breach notification for personal health information," he adds.
In the U.S., data breaches involving the loss or theft of unencrypted computing devices have been responsible for more than half of the 804 major breaches confirmed since September 2009, according the U.S. Department of Health and Human Services (see Health Data Breach Tally Tops 800).