Alberta privacy commissioner investigates big breach

EDMONTON – Alberta’s Information and Privacy Commissioner has confirmed that she will launch an investigation into the Medicentres privacy breach, as well as a broader review of the way breaches are reported in the health sector.

“This incident raises concerns about how privacy breaches are reported generally,” said privacy commissioner Jill Clayton (pictured). “Therefore, in addition to the Medicentres investigation, we will also be conducting a thorough review of the broader issue of privacy breach reporting by the health sector in Alberta.”

In January, Alberta Health Minister Fred Horne announced that a laptop containing the name, date of birth, provincial health card numbers, billing codes, and diagnostic codes of 620,000 Albertans was stolen in September. It is said to be largest breach of privacy in Canada.

Horne said he received a letter from the vice president of Medicentres Family Health Care Clinics informing him of the theft, which the company learned about on Oct. 1, 2013. “I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” said Horne.

Medicentres said the laptop belonged to an IT consultant working for the company. Dr. Arif Bhimji, chief medical officer with Medicentres Canada, says the IT consultant was working on an app at the time.

“Immediately upon learning of this theft, Medicentres contacted the Edmonton Police Department and the Office of the Information Privacy Commissioner in Alberta,” read the company’s statement.

Clayton explained why the theft of the laptop was not reported to the health minister until nearly four months after it happened.

“Currently, there are no provisions under Alberta’s Health Information Act (HIA) requiring a health custodian to report a breach to my office or notify affected individuals.”

“When we do receive reports of this nature, it is done on a voluntary basis. Decisions about when and if affected individuals will be notified of a breach are the responsibility of the custodian. I have no authority to require custodians to notify affected individuals,” Clayton said.

She explained that when a breach is reported to the Office of the Information and Privacy Commissioner of Alberta (OIPC), it works with the party to assess the risk and makes recommendations on how the group should handle it and prevent future breaches.

“When there is the potential for harm to individuals, it is always our practice to recommend immediate, direct notification to all affected parties.”

Clayton said the Health Information Act prohibits the privacy commissioner from releasing any information obtained in performing her duties.

She explained that, under Alberta’s private sector privacy law, if there is a risk of significant harm to an individual, organizations must report a breach of personal information to the Privacy Commissioner. In that case, Clayton said she can force the organization to notify all those affected.

Clayton said she has advocated for mandatory breach reporting and notification provisions to be added to the FOIP.

John Russo, chief privacy officer for Equifax Canada, called this the biggest breach of privacy in Canadian history. “From our experience, this is the biggest one in Canada,” he says. “Last year, student loans had a loss of 550,000 Canadians. This beats it by 70,000.”

In October, he says Equifax noticed about a five per cent increase in identity thefts in Alberta, but cannot say for certain if the trend is related to the laptop theft.

Russo believes the information contained on the stolen laptop would be enough to do damage. “With sophisticated fraudsters, a name and a date of birth, they can do some serious harm to consumers. Just with that information alone, they can set up fake IDs, start applying for credit in your name, stealingyour identity.”

“At a minimum, consumers should at least put a credit alert on their file… to notify credit granters that their ID has been lost, stolen or compromised.”

However, Mike Berezowsky with Service Alberta, disagrees.

“The information included name, date of birth, and the health care card number, as well as some additional billing information – none of that is the kind of thing that, alone, would get you a driver’s license or an Alberta ID card.”

Service Alberta says government-issued photo ID is required to get identification in another name. A facial recognition system is also used.