Close X
Thursday, November 28, 2024
ADVT 
National

Privacy commissioner rules Medicentres failed to protect info on stolen laptop

Darpan News Desk Canadian Press, 29 Aug, 2014 11:43 AM
    Alberta's privacy commissioner says a chain of medical clinics failed to protect patients' health information on a laptop that was stolen — and took too long to publicly report the theft.
     
    The commissioner's office released its report Friday into the breach, along with several recommendations for Medicentres Inc., including one that the company update its notification policy.
     
    An information technology consultant who had taken his laptop from work lost it at a public venue on Sept. 26, 2013. Nine days later, when the laptop couldn't be found, the company reported the theft to police and the privacy office.
     
    The company didn't tell the government or the patients and their doctors until January.
     
    The laptop contained key information from about 621,000 patients, who had been seen by doctors at the company's Alberta clinics dating back to May 2011. The computer was password-protected but not encrypted.
     
    Encryption is a "no-brainer" that the privacy office has been recommending to health providers for years, said Brian Hamilton, the office's director of compliance and special investigations.
     
    In addition, he said, Medicentres failed to properly inform the consultant of its security policies and didn't conduct regular checks on his work.
     
    "This really speaks to governance and delegation of authority and being aware of what your service providers are doing," Hamilton said.
     
    The report further criticized the four months Medicentres took to inform the patients and their doctors.
     
    Disclosure wasn't mandatory by law at the time. But the privacy office had guidelines stating anyone involved in a breach should "immediately" respond and notify affected individuals. The report said staff repeatedly told Medicentres that it should notify people, but the company "spent considerable time considering and rejecting various methods of notification."
     
    Hamilton said Medicentres technically adopted the privacy office's guideline, but without a time factor, and should revise its approach to "make sure its responses are more timely."
     
    Health Minister Fred Horne said he was outraged by the delay when he learned about it. He was also angry that the privacy commissioner wasn't required to inform him about the breach.
     
    Since then, changes have been made to the province's Health Information Act that require mandatory notification of people affected by privacy breaches. Violations carry a minimum $2,000 fine for an individual and $200,000 for a corporation.
     
    Horne said details, such as how many days should be allowed for notification, are still being discussed but should be finalized in the fall.
     
    "This should never happen again," he said Friday.
     
    Dr. Arif Bhimji, chief medical officer for Medicentres, said the company needed time to pull together a team to respond to the phone calls it would receive from people about the laptop breach.
     
    Four months was "not unreasonable," he said.
     
    "I think moving forward we would try to do things sooner, but I'm assuming that we will never have this situation again."
     
    Many of the report's recommendations have already been made and others are being "worked on," Bhimji said.
     
    Medicentres has also stopped hiring consultants, he added, and will only do so again if they work strictly out of company offices with company equipment.
     
    Medicentres was recently in court asking for a stay on the release of the privacy commissioner's report and a publication ban on its contents. The judge dismissed the application.
     
    Bhimji said the company wanted more time to respond to a draft version.
     
    Court of Queen's Bench Justice Robert Graesser wrote in his decision that the company's main concern seemed to be "the potential impact the final report may have on the intended class proceedings it faces."
     
    A multimillion-dollar, class-action lawsuit against Medicentres was filed in June on behalf of patients who had their personal data stored on the laptop.
     
    Medicentres and the privacy office agree that, so far, none of the patients has fallen victim to an identity crime.

    MORE National ARTICLES

    Vancouver man partway through charity swim from New Brunswick to P.E.I. and back

    Vancouver man partway through charity swim from New Brunswick to P.E.I. and back
    A Vancouver man has made it halfway through his mission to swim from New Brunswick to Prince Edward Island and back for charity.

    Vancouver man partway through charity swim from New Brunswick to P.E.I. and back

    When Stephen Harper got down on the ground, sniper-style, and fired off a few shots

    When Stephen Harper got down on the ground, sniper-style, and fired off a few shots
    FORT SMITH, N.W.T. - Like any true collector's item, the Cold War-era rifles still used today by the Canadian Rangers come in their original boxes.

    When Stephen Harper got down on the ground, sniper-style, and fired off a few shots

    Ebola Scare in Montreal: Patient being Tested for Virus after Returning from West Africa

    Ebola Scare in Montreal: Patient being Tested for Virus after Returning from West Africa
    MONTREAL - A patient has been placed in isolation at a Montreal hospital after showing symptoms consistent with the often deadly Ebola virus.

    Ebola Scare in Montreal: Patient being Tested for Virus after Returning from West Africa

    HitchBOT the hitchhiking robot wraps up cross-country journey in Victoria

    HitchBOT the hitchhiking robot wraps up cross-country journey in Victoria
    VICTORIA - Once he gets past the plastic-bucket body, the pool-noodle arms and the complete lack of a soul, Seb Leeson sees a lot of himself in HitchBOT, the ragtag robot that spent several weeks hitchhiking across Canada.

    HitchBOT the hitchhiking robot wraps up cross-country journey in Victoria

    Alaska Requests Greater Involvement In Oversight Of Large B.C. Gold Mine

    Alaska Requests Greater Involvement In Oversight Of Large B.C. Gold Mine
    VANCOUVER - The state of Alaska has taken the rare step of asking the Canadian government for greater involvement in the approval and regulation of a controversial mine in northwestern British Columbia amid growing concern that the project could threaten American rivers and fish.

    Alaska Requests Greater Involvement In Oversight Of Large B.C. Gold Mine

    Russia's growing military presence in the Arctic a concern to Harper

    Russia's growing military presence in the Arctic a concern to Harper
    FORT SMITH, N.W.T. - Russia's growing military presence in the Arctic is a concern and Canada should not get complacent about it, Prime Minister Stephen Harper said Friday during the second leg of his annual northern tour.

    Russia's growing military presence in the Arctic a concern to Harper