Laptop containing medical records of 2,700 children stolen: Privacy boss

The medical records of 2,700 children were stolen with a laptop computer belonging to a researcher with access to Alberta Health Services files, Information and Privacy Commissioner Frank Work revealed today.

The researcher has reported the loss to only 46 of the 2,700 patients. Work will investigate the theft and how it was handled.

The children whose records were stolen were "pediatric gastroenterology and nutrition patients," according to Work’s office.

That theft occurred Oct. 25 but wasn’t reported to Work until Nov. 29, by the University of Alberta.

A background document from Work’s office says "the laptop was password protected, but not encrypted, which does not meet the standard set in our investigation reports – all health information on mobile devices must be encrypted."

That case is only one of six startling data thefts and losses in the past month. In every case the personal data was not encrypted – a fact Work finds "incomprehensible."

Another case involving government was the theft of a digital recorder with recorded statements made by citizens in Fish and Wildlife investigations.

Stolen from a Sustainable Resources officer Oct. 12, the digital recorder contained the cautioned statements of six private citizens, video of an investigation of a person in a decoy operation, and a suspect’s confession.

A laptop stolen that day – presumably from the same officer – contained a contact list for Junior Forest Rangers, as well as the employee’s performance record.

"Encryption technology is pretty much commonplace, and it’s irresponsible that an organization would allow this stuff out the door, without ensuring it’s protected," Work said.

"Is there a need to put people though this, when the information could easily be encrypted? And these organizations put themselves through a lot of extra work, cost and loss of credibility, when they have to notify individuals that they lost their personal information."

Other cases in the past month:

-An employee of an unnamed trust company had his laptop stolen when he left it in his car overnight at his home. It contained 135 e-mails with highly sensitive personal information, including individuals’ mortgage applications, names, Social Insurance numbers, and credit reports.

-In a second case involving children, a speech pathology office was burglarized and the records of 50 patients under six were stolen with an external hard drive. The drive detailed information about the families involved.

-A employee of a market research company left a laptop in an airport overseas. It contained personal details – including home addresses and Social Insurance numbers – of 27 Albertans. The laptop was not turned in at the airport. Work assumed it was kept for personal use or profit.

-A laptop used by an employee of a company providing payroll services to another firm was stolen from a family member’s car. It contained all employment information of 133 employees. In this case there was apparently multiple password protection, but Work notes that the report doesn’t mention encryption.