EDMONTON – Alberta’s Information and Privacy Commissioner confirmed Thursday that she will launch an investigation into the Medicentres privacy breach, as well as a broader review of the way breaches are reported in the health sector.
“This incident raises concerns about how privacy breaches are reported generally,” explained Jill Clayton. “Therefore, in addition to the Medicentres investigation, we will also be conducting a thorough review of the broader issue of privacy breach reporting by the health sector in Alberta.”
On Wednesday, Health Minister Fred Horne said a laptop containing the name, date of birth, provincial health card numbers, billing codes, and diagnostic codes of 620,000 Albertans was stolen in September.
Horne said he received a letter on Tuesday from the vice president of Medicentres Family Health Care Clinics informing him of the theft, which the company learned about on Oct. 1, 2013.
“I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” said Horne.
READ MORE: Laptop containing health details of 620,000 Albertans stolen
Medicentres said the laptop belonged to an IT consultant working for the company.
Dr. Arif Bhimji, chief medical officer with Medicentres Canada, says the IT consultant was working on an app at the time.
“Immediately upon learning of this theft, Medicentres contacted the Edmonton Police Department and the Office of the Information Privacy Commissioner in Alberta,” read the company’s statement.
Privacy Commissioner Jill Clayton explained why the theft of the laptop was not reported to the health minister until nearly four months after it happened.
“Currently, there are no provisions under Alberta’s Health Information Act (HIA) requiring a health custodian to report a breach to my office or notify affected individuals.”
“When we do receive reports of this nature, it is done on a voluntary basis. Decisions about when and if affected individuals will be notified of a breach are the responsibility of the custodian. I have no authority to require custodians to notify affected individuals.
Read the Alberta Privacy Commissioner’s full statement below.
She explained that when a breach is reported to the Office of the Information and Privacy Commissioner of Alberta (OIPC), it works with the party to assess the risk and makes recommendations on how the group should handle it and prevent future breaches.
“When there is the potential for harm to individuals, it is always our practice to recommend immediate, direct notification to all affected parties.”
Clayton said the Health Information Act prohibits the privacy commissioner from releasing any information obtained in performing her duties.
She explained that, under Alberta’s private sector privacy law, if there is a risk of significant harm to an individual, organizations must report a breach of personal information to the Privacy Commissioner. In that case, Clayton said she can force the organization to notify all those affected.
Clayton said she has advocated for mandatory breach reporting and notification provisions to be added to the FOIP Act. She said she will be asking the government to consider such an amendment.
Horne requested the privacy commissioner investigate the breach on Wednesday.
“To find out what happened, why health authorities have only just been informed, and what, if any, breaches of privacy legislation may have occurred,” the health minister explained.
“It’s remarkable to me that this has occurred,” said Wildrose leader Danielle Smith, “that there isn’t a way for apparently the health minister to be notified when it occurs.”
“I think that there’s a serious question that we have here about who knew what when? Why wasn’t the minister told by the company? Why wasn’t the privacy commissioner telling the minister?”
The NDP is calling on the government to draft tougher legislation to ensure the private medical information of Albertan is better protected.
“A breach of this magnitude is shocking,” said NDP Health Critic David Eggen. “For this government to fail in protecting such sensitive health information highlights the massive gaps we have in this province, and it is obvious that current legislation is not effective.”
Meanwhile, John Russo, chief privacy officer for Equifax Canada, calls this the biggest breach of privacy in Canadian history.
“From our experience, this is the biggest one in Canada,” he says. “Last year, student loans had a loss of 550,000 Canadians. This beats it by 70,000.”
In October, he says Equifax noticed about a five per cent increase in identity thefts in Alberta, but cannot say for certain if the trend is related to the laptop theft.
Russo believes the information contained on the stolen laptop would be enough to do damage.
“With sophisticated fraudsters, a name and a date of birth, they can do some serious harm to consumers. Just with that information alone, they can set up fake IDs, start applying for credit in your name, stealing your identity.”
“At a minimum, consumers should at least put a credit alert on their file… to notify credit granters that their ID has been lost, stolen or compromised.”
However, Mike Berezowsky with Service Alberta, disagrees.
“The information included… name, date of birth, and the health care card number, as well as some additional billing information – none of that is the kind of thing that, alone, would get you a driver’s license or an Alberta ID card.”
Service Alberta says government-issued photo ID is required to get identification in another name. A facial recognition system is also used.
Affected patients who have questions are asked to contact Medicentres directly at 780-484-8741 or via email at info@medicentres.com.
For more information on protecting yourself against fraud and identity theft, visit Service Alberta’s website.
Alberta Information and Privacy Commissioner on Medicentres privacy breach
Comments