Considering that Canada has a population of only 35 million, the numbers are significant.
As so often happens in these situations, this was a case of health data being saved on unencrypted USB sticks. In the most egregious case and the only one requiring that patients be notified, a thumb drive was given to a medical research contractor containing plain-text information like personal health numbers, gender, dates of birth, postal codes, medication history and Medical Services Plan claims, along with highly personal information from Statistics Canada’s Canadian Community Health Survey. The latter covers data about mental, physical and sexual health.
However, the data did not include names, social insurance numbers or financial information – and the ministry was quick to stress that it is unlikely that the information is being used for anything untoward.
"I take this very seriously, but I do feel that I can be reassuring," said Health Minister Margaret MacDiarmid, speaking to CTV. "We don't believe there is a great risk to individuals with this information because there is no evidence at all that the information has been used for anything other than health research."
The discovery of the wayward USB practices arose from an ongoing probe launched in September into research-grant practices between researchers and the ministry, she noted. Three specific data breaches have been discovered so far.
In October 2010, when a USB drive containing the health numbers of 21,000 people and the diagnostic information for 262 chronic diseases/conditions was given to a researcher without requests for the data being made through the proper channel.
In June 2012, the same month as the notification-triggering breach previously outlined, a staggering five million unencrypted plain-text records found their way into the hands of a contractor by way of USB stick. The information included personal health numbers, gender, age group, lengths of hospital stays and the amounts spent on various categories of health care.
MacDiarmid said the ministry is tracking the cost of the breach, noting she could not yet provide any firm numbers.
Seven employees have lost their jobs and two lawsuits are ongoing as a result of the probe. Malcolm Maclure, a director of research and evidence development with the ministry's pharmaceutical services division, has filed a defamation suit against his employer, while the recently fired Ron Mattson is suing MacDiarmid and the province for wrongful dismissal, wrongful withholding of pay and defamation.
BC Information and Privacy Commissioner Elizabeth Denham is also launching an independent investigation.
The USB vulnerability is an ongoing concern in healthcare. A recent report from the Ponemon Institute found that 75% of US healthcare facilities surveyed don't secure medical devices containing sensitive patient data, while 94% have leaked data in the last two years – largely because of staff negligence.