Alberta's privacy commissioner says a chain of medical clinics failed to protect patients' health information on a laptop that was stolen — and took too long to publicly report the theft.
The commissioner's office released its report Friday into the breach, along with several recommendations for Medicentres Inc., including one that the company update its notification policy.
An information technology consultant who had taken his laptop from work lost it at a public venue on Sept. 26, 2013. Nine days later, when the laptop couldn't be found, the company reported the theft to police and the privacy office.
The company didn't tell the government or the patients and their doctors until January.
The laptop contained key information from about 621,000 patients, who had been seen by doctors at the company's Alberta clinics dating back to May 2011. The computer was password-protected but not encrypted.
Encryption is a "no-brainer" that the privacy office has been recommending to health providers for years, said Brian Hamilton, the office's director of compliance and special investigations.
In addition, he said, Medicentres failed to properly inform the consultant of its security policies and didn't conduct regular checks on his work.
"This really speaks to governance and delegation of authority and being aware of what your service providers are doing," Hamilton said.
The report further criticized the four months Medicentres took to inform the patients and their doctors.
Disclosure wasn't mandatory by law at the time. But the privacy office had guidelines stating anyone involved in a breach should "immediately" respond and notify affected individuals. The report said staff repeatedly told Medicentres that it should notify people, but the company "spent considerable time considering and rejecting various methods of notification."
Hamilton said Medicentres technically adopted the privacy office's guideline, but without a time factor, and should revise its approach to "make sure its responses are more timely."
Health Minister Fred Horne said he was outraged by the delay when he learned about it. He was also angry that the privacy commissioner wasn't required to inform him about the breach.
Since then, changes have been made to the province's Health Information Act that require mandatory notification of people affected by privacy breaches. Violations carry a minimum $2,000 fine for an individual and $200,000 for a corporation.
Horne said details, such as how many days should be allowed for notification, are still being discussed but should be finalized in the fall.
"This should never happen again," he said Friday.
Dr. Arif Bhimji, chief medical officer for Medicentres, said the company needed time to pull together a team to respond to the phone calls it would receive from people about the laptop breach.
Four months was "not unreasonable," he said.
"I think moving forward we would try to do things sooner, but I'm assuming that we will never have this situation again."
Many of the report's recommendations have already been made and others are being "worked on," Bhimji said.
Medicentres has also stopped hiring consultants, he added, and will only do so again if they work strictly out of company offices with company equipment.
Medicentres was recently in court asking for a stay on the release of the privacy commissioner's report and a publication ban on its contents. The judge dismissed the application.
Bhimji said the company wanted more time to respond to a draft version.
Court of Queen's Bench Justice Robert Graesser wrote in his decision that the company's main concern seemed to be "the potential impact the final report may have on the intended class proceedings it faces."
A multimillion-dollar, class-action lawsuit against Medicentres was filed in June on behalf of patients who had their personal data stored on the laptop.
Medicentres and the privacy office agree that, so far, none of the patients has fallen victim to an identity crime.