LETHBRIDGE, Alta. – An unencrypted laptop computer containing the health information of 5,000 patients with sleep disorders was stolen in October from an Alberta Health Services clinic. Earlier this year, the Alberta government was embarrassed to learn that a laptop computer containing 620,000 patient records was stolen from Medicentres, a chain of private clinics.
Alberta Health Services is now warning approximately 5,000 clients who visited Lethbridge Sleep Clinic over the last decade, and were prescribed treatment for sleep apnea, that they are at an increased risk of identity theft because their names and addresses were on the stolen computer’s hard drive.
Meanwhile, the province’s privacy chief warned that a similar breach in future by the health authority or another organization that is a custodian of patient data could result in a fine of up to $500,000.
Brian Hamilton (pictured), director of compliance and special investigations with the Office of the Information and Privacy Commissioner, said recent amendments to health information legislation will soon make it an offence if sensitive information is not properly secured.
“This kind of thing does keep happening, a lot of lost and stolen laptops and mobile devices, and we’ve been saying consistently since 2006 that the standard of protection for those things is to encrypt them,” Hamilton said.
“If you don’t implement reasonable security controls, that will soon be an offence under the amended law.”
While AHS has internal policies that require all computers it uses containing health information be encrypted, the authority’s chief officer for the province’s south zone said the device in question – supplied to the clinic by a vendor of continuous positive air pressure equipment and masks – was only password protected.
The missing laptop did not include patient diagnoses or health care numbers, but names, addresses, dates of service and types of equipment were listed in the database. While the theft was reported to Lethbridge Regional Police the same day it occurred, investigators have so far been unable to apprehend a suspect or recover the computer.
The device was apparently stolen by a man who entered the downtown premises during normal operating hours.
The OIPC has received voluntary notifications of over 50 privacy breaches involving health information in each of the last two years. Under the amended Health Information Act, it will become mandatory to alert the privacy commissioner and the health minister, and to inform the affected individuals.
“There’s probably quite a few breaches we haven’t been hearing about,” said Hamilton, “problems that it will soon be illegal not to report.”