Privacy & Security
4,000 patient records stolen from medical office
March 9, 2016
VANCOUVER – Thieves walked off with the medical records of 4,000 patients after a break-in last month at the Vancouver Division of Family Practice (DoFP), a non-profit group funded by the Doctors of B.C. (formerly the BCMA) and B.C. Health.
The records included names, addresses and B.C. Care Card numbers, and occurred before midnight on Feb. 3 after the ransacking of the 11th-floor offices.
“They (thieves) were opening drawers, cupboards and cabinets and they made off with laptops and hard drives,” police spokesman Const. Brian Montague told The Province, a Vancouver newspaper. “They were in there for a long time.”
Police have poor quality video of two men leaving the building carrying bags, but investigators found no forensic evidence. There was no alarm or security video in the office, and police have no suspects.
A letter sent to patients said the stolen hard drive was encrypted and cannot be accessed. The files, from a closed practice, were being digitized before some were sent to new offices. In past, the retiring doctor’s staff would have shipped paper files.
How safe are the files of thousands of patients as the province moves to electronic medical records (EMR)?
In a recent audit of B.C.’s health authorities, the Office of the Information and Privacy Commissioner (OIPC) found an estimated 3,000 privacy breaches over 10 years – almost one a day – and commissioner Elizabeth Denham (pictured) said less than one percent, or 200 incidents, were reported. That included the theft of 159 electronic patient files in three incidents.
Most of the 3,000 breaches dealt with one patient, and large breaches were defined as between five and 400 or more individuals, far fewer than the 4,000 files stolen in the private sector breach.
Denham made several recommendations, including mandatory reporting and better training.
Dr. Terence Chang, a family doctor and CEO of the Vancouver DoFP, declined comment, but a public relations spokeswoman said in an emailed statement that the burgled building had 24/7 security, locked elevators and stairwells and other security measures, and that the company was installing a safe.
It is not known how many breaches there have been with private sector groups that hold medical records because, “It is not a stat that we regularly track,” said OIPC spokesperson Michelle Mitchell. She also said it’s up to doctors to follow the law because the OIPC “doesn’t have the resources to monitor or audit every” group.