Medicentres failed to safeguard health info: Alberta privacy commissioner
EDMONTON – An investigation by the privacy commissioner into the January theft of a laptop containing details of nearly 622,000 Albertans found Medicentres Canada Inc. was in contravention of the Health Information Act.
The investigation was launched on January 23, 2014, after it was revealed a laptop containing the name, date of birth, provincial health card numbers, billing codes, and diagnostic codes of 621,884 Albertans was stolen in Sept. 2013.
Medicentres was notified on October 1, 2013, that a laptop belonging to an IT consultant working for the company was stolen.
Alberta’s health minister wasn’t informed until late Jan. 2014.
“I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” said Fred Horne at the time.
The privacy commissioner’s investigation found Medicentres failed to consider privacy risks and failed “to take reasonable steps to safeguard health information on the laptop computer.”
It also found the company “did not provide guidance to the contracted IT consultant about the protection of health information.”
Medicentres said the IT consultant was working on an app at the time of the theft.
In a statement Friday, the company said “the IT consultant had copied information from Medicentres’ secure network onto his laptop without the knowledge or approval of Medicentres, and in contravention of a written confidentiality agreement.
“Medicentres voluntarily reported the loss of the laptop to the OIPC and has worked closely with the OIPC since this occurrence.”
The investigation found that Medicentres followed Office of the Information and Privacy Commissioner (OIPC) guidelines in responding to the privacy breach, but “it spent considerable time doing so.”
The report recommends changes to Medicentres’ breach response protocol to include “timelines for notification.”
In addition, the report recommends the company make changes to make sure doctors know about decisions Medicentres makes. Currently, the agreement between the company and its physicians doesn’t require Medicentres to notify the physicians about work it does on their behalf.
In the case of the stolen laptop, physicians were not told about the breach until nearly four months after it happened.
“I’m pleased to see that we have a report and some concrete recommendations,” said Health Minister Fred Horne, “and I understand Medicentres … has indicated they’ve already begun the process of implementing those recommendations. So, it’s very good to hear that.”
The OIPC received 23 complaints from people who were affected by the theft. The complaints were put on hold until the results of the privacy commissioner’s investigation.
On Friday, Medicentres said “to date, there is no evidence to suggest that any of the personal information on the laptop has been accessed or misused.”
The company added that it has fully cooperated with the privacy commissioner’s investigation.
“In consultation with the OIPC, Medicentres has already reviewed security procedures and implemented additional policies and processes to further safeguard patients’ information,” the company said Friday.
“We will review the report recommendations in detail and continue to work together with the OIPC to effect any other recommendations.”
The health minister added that amendments were made to the Health Information Act in the spring session.
“It’s now a requirement of law in Alberta for anyone that inappropriately releases health information to disclose that, both to the person or persons whose health information is affected and to the Information and Privacy Commissioner.”