Major privacy breach occurs at Winnipeg hospital

real-cloutierThe Winnipeg Regional Health Authority (WRHA) is dealing with one of the largest patient privacy breaches it has ever seen, after a file containing some personal details about 1,000 people was taken in October from a locked office inside the city’s largest hospital. Officials say a file with billing information related to diagnostic imaging procedures – and containing details about approximately 1,000 patients who underwent those procedures – was removed from a diagnostic imaging office at the Health Sciences Centre on October 7th.

Officials say the paper file was taken from a locked room within an area of the hospital that’s accessible only by swipe cards. It has not been found to date.

The file listed patients’ names and birth dates and identified the medical tests and exams they had – such as CT and MRI scans and biopsies – as well as medical chart reference numbers and physician details. It could also indicate where on a patient’s body a scan or other procedure was performed, says the health authority.

The WRHA started sending letters to affected patients on Tuesday, said Réal Cloutier (pictured), the health authority’s vice-president and chief operating officer.

“We take our responsibility as a trustee of health information seriously and we expect that we protect that information, and unfortunately in this case we have a situation where information was taken,” he told reporters on Wednesday.

Anyone who receives a letter should monitor their financial statements as they normally would, but there is no evidence at this point that affected patients would need to take further action to guard their personal health information, the WRHA says.

Cloutier said the Winnipeg Police Service is investigating the case, and the health authority is conducting its own human-resources and security reviews.

A private security firm with experience in human resources has also been hired to review the incident, he added.

“I just want to be clear that the information that was taken was a minimum amount of health information…. Notwithstanding that, this is a breach and we expect that we will have follow-up on our investigation,” he said.

“We’re doing everything possible to actually recover the file but, again, that’s in the hands of the investigators at this point.”

Security concerns over these kinds of breaches usually fall into two categories, said David Fraser, a privacy lawyer with McInnes Cooper in Halifax. There is the obvious heightened risk of identity theft, but Fraser said victims also face the potential embarrassment of having very sensitive personal details released.

“The name and [date of birth] is not sensitive information in the grand scheme of things, but anything related to your health and the continuum of health, that is very intimate and personal information that could be used for all sorts of purposes, including blackmail,” Fraser said.

Fraser said the burden is on the WRHA to do more to help ease the fears of victims impacted by the security breach.

“If I were the victim of such a breach, I would probably be expecting that the health authority would pay for credit monitoring to make sure that any suspicious activity on the credit report was flagged and caught,” Fraser said.

“I would suggest that the burden should be on [the WRHA] to make sure that they’ve taken all steps reasonably necessary to assist the affected individuals to mitigate all risks associated with this.”

Fraser also believes the WRHA may know more about the breach than they are letting on.

“To go into a cabinet and carry a thousand files out, that suggests a significant amount of effort and a significant amount of determination on the part of the bad guy,” he said. “It raises all the flags.”

Cloutier would not say if a suspect has been identified, but the WRHA says there was no evidence of forced entry into the room.

Everyone who had access to the area has been interviewed, and both the police and private investigators have been reviewing surveillance video footage.

Cloutier said officials do not know why someone would have taken the file, but he added that the minimal amount of personal detail would not be very useful to anyone with malicious intentions.

“We don’t believe that the file was taken for nefarious reasons but, again, we have a duty to inform people so that they’re mindful of what has happened,” he said.

The records did not include patients’ diagnostic information, he added.

In light of the incident, Cloutier said the WRHA has beefed up security in the area where the file was stolen. For example, the locks have been changed in the office in question, and only the supervisor has access to that room and the new key, he said.

Source: CBC News