The hard drive contained information that included the patient’s name and hospital number, as well as photos and videos. Covenant Health stressed that the missing drive did not contain the Alberta Health Care number or any other personal identification, “with the exception of four files”. The Covenant Health statement did not elaborate on what was contained in the four files.
“We apologize for the emotional distress the loss of this hard drive may cause our patients”, said Patrick Dumelie, Covenant Health president and chief executive officer. “I also want to reassure anyone who comes to our facilities for care, changes have been made and we are working with staff and the Office of the Information and Privacy Commissioner to prevent this from happening again.”
Covenant Health said that the originals of the missing images have been uploaded to a secure server and that it is reviewing its practices and providing staff education and training about secure image storage. The patients are being notified of the data loss by phone.
The company said that the hard drive was last seen Jan. 17, 2011, during a move of office equipment to a new location. It was first noticed missing Jan. 28, 2011. The statement did not explain why it took more than 10 days for hospital staff to notice that a hard drive with sensitive information was noticed missing.
Canada’s Office of the Information and Privacy Commissioner was informed on Feb. 3, 2011. There was no sign of break-in or theft, the statement said.
David Eggen, director of Friends of Medicare, said the loss of patient videos and photos highlights the need for the Alberta government to enact a privacy protection law.
“This is a big concern and the government needs to standardize and reinforce the confidentiality rules that come from the provincial government so we don’t see incidents like this in the future”, Eggen was quoted by the Edmonton Journal as saying.
Dumelie stressed that the hospital had in place policies on information security, but staff did not follow the policies in handling the hard drive.
“Clearly security policies surrounding the security of patient data were in place at this hospital, but they just weren't followed, so the answer has be to introduce multiple layers of security, which staff simply cannot circumvent, even if they want to", commented Andy Cordial, managing director of UK storage system firm Origin Storage.