Approximately 33,661 unique medial records were compromised by an unknown source after a GNWT laptop was stolen from a conference in Ottawa on May 9.
The hard-drive on the laptop was not encrypted, meaning 45,000 references and data tables to medical records on the laptop would be easily accessible to the person who stole the device.
Deputy Health Minister Bruce Cooper said the purpose of notifying the public about the breach is to inform people they may be at risk.
“If anyone suspects they might be the victim of identity theft they should report that to the police,” said Cooper. “We monitor the use of our health cards … they can request a new health card at any time, free of charge.”
The May investigation was conducted by Chief Privacy Officer Jannet Ann Leggett. The investigation was concluded on June 18 which determined data had been breached, meaning someone could have accessed information.
Dave Heffernan, chief information officer at the Finance Department, said all laptops in the department have been updated to ensure the breach does not happen again.
Heffernan said a laptop is the best practice for storing medical information, but adds there are other methods of storage which the government is looking into.
“As a government we haven’t moved towards the cloud, but we are investigating the use of cloud-based services,” said Heffernan. “Because of the different types of information and data across the organization we have to do it in a very planned fashion.”
After the investigation, all government laptops were examined and several were found not encrypted. The issue has now been fixed and all devices have had their hard-drives updated.
This is not the first time medical records have been breached while under control of the GNWT. In 2016 the Beaufort Data Health and Social Services Authority confirmed 67 patients had been notified their information was compromised.
After the breach in 2016 the authority was presented with an extensive list of recommendations including staff wide privacy training.
Employees go through two types of privacy training. One is mandatory training upon employment while the other was introduced as a result of the Beaufort Delta incident which coincides with the Health Information Act. To date, 30 to 50 per cent of employees have undertaken the new training.
“There is a culture of privacy in health care and it’s part of the training of the professionals that we hire,” said Cooper. “This issue is not about training. This is a
theft of a device that we thought was encrypted and turned out wasn’t so it’s reasonable for our department to to believe that we were following best practice in protecting privacy.”
Cooper would not comment on the repercussions of the employee during a
teleconference with media, however a statement to Yellowknifer states the person in possession of the laptop before the theft took all the necessary actions to keeping it safe.
“It’s important to note that this was the result of a theft and not as a result of an act of commission or omission,” stated spokesperson Damien Healy in an email. “The preliminary investigation concluded the device was in secure compartment in a locked vehicle, it was protected by a strong password and the employee believed with reason the device was encrypted.”