Medicentres failed to protect the information of patients

EDMONTON – An investigation by the Alberta privacy commissioner into the theft of a laptop containing details of nearly 622,000 Albertans, found that Medicentres Canada Inc. failed to protect patient privacy and was in contravention of the Health Information Act.

The investigation, under the auspices of privacy commissioner Jill Clayton (pictured), was launched on January 23, 2014, after it was revealed a laptop containing the name, date of birth, provincial health card numbers, billing codes, and diagnostic codes of 621,884 Albertans was stolen in Sept. 2013.

Medicentres was notified on October 1, 2013, that a laptop belonging to an IT consultant working for the company was stolen. However, Alberta’s health minister wasn’t informed until late Jan. 2014.

“I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” said Fred Horne at the time.

Disclosure wasn’t mandatory by law at the time. But the privacy office had guidelines stating anyone involved in a breach should “immediately” respond and notify affected individuals.

The report said staff repeatedly told Medicentres that it should notify people, but the company “spent considerable time considering and rejecting various methods of notification.”

The privacy commissioner’s office said Medicentres technically adopted the privacy office’s guideline, but without a time factor, and should revise its approach to “make sure its responses are more timely.”

Health Minister Horne said he was also angry that the privacy commissioner wasn’t required to inform him about the breach.

Since then, changes have been made to the province’s Health Information Act that require mandatory notification of people affected by privacy breaches. Violations carry a minimum $2,000 fine for an individual and $200,000 for a corporation.

Horne said details, such as how many days should be allowed for notification, are still being discussed but should be finalized in the fall.

The privacy commissioner’s investigation found Medicentres failed to consider privacy risks and failed “to take reasonable steps to safeguard health information on the laptop computer.”

It also found the company “did not provide guidance to the contracted IT consultant about the protection of health information.” Medicentres said the IT consultant was working on an app at the time of the theft.

Encryption is a “no-brainer” that the privacy office has been recommending to health providers for years, said Brian Hamilton, the office’s director of compliance and special investigations.

In addition, he said, Medicentres failed to properly inform the consultant of its security policies and didn’t conduct regular checks on his work.

“This really speaks to governance and delegation of authority and being aware of what your service providers are doing,” Hamilton said.

Medicentres said “to date, there is no evidence to suggest that any of the personal information on the laptop has been accessed or misused.” The company added that it has fully cooperated with the privacy commissioner’s investigation.

“In consultation with the OIPC, Medicentres has already reviewed security procedures and implemented additional policies and processes to further safeguard patients’ information,” the company said. “We will review the report recommendations in detail and continue to work together with the OIPC to effect any other recommendations.”