The B.C. Ministry of Health is sending notification letters to 38,000 people whose personal health information was were inappropriately shared with a researcher.
The information, which was shared in June, includes personal health numbers, gender, dates of birth, postal codes, medication history and Medical Services Plan claims, Health Minister Margaret MacDiarmid said on Monday. It also includes highly personal information collected by Statistics Canada's Canadian Community Health Survey, which concerned individuals' mental, physical and sexual health.
The breach is one of several discovered during an ongoing investigation into allegations of inappropriate conduct, contracting irregularities and data-management and research grant practices involving ministry employees and drug researchers. The ministry learned of the allegations in March, conducted staff interviews in April and launched the formal investigation in May. The interim results of the internal investigation were turned over to the RCMP in August. Seven employees were fired in the fall.
At a news conference on Monday, Ms. MacDiarmid released some details on three of the breaches, noting there were "a number of other breaches" she cannot speak about until the investigation is complete.
In a second incident in June, a USB stick containing a text file of 19 types of health data – relating to more than five million people over several years – was provided to a ministry contractor.
"The file included personal health numbers, gender, age group, length of hospital stay and [dollar] amounts spent on various categories of health care," Ms. MacDiarmid said.
"In this case, the contractor was authorized to receive non-identifiable and/or encrypted data from the ministry, but instead, the data that was received was not encrypted and it was personally identifiable."
In an incident in October, 2010, a USB stick with ministry data containing the personal health numbers of about 21,000 people was shared with a researcher without authorization, Ms. MacDiarmid said. The file detailed diagnostic information for chronic diseases or conditions, including prescription history for some drugs.
The data in these three instances did not contain individual names, social insurance numbers or personal financial information, Ms. MacDiarmid stressed, noting it would be "very difficult to match someone's personal health number to their identity based on the information that was available."
B.C. Information and Privacy Commissioner Elizabeth Denham said the second and third breaches did not warrant personal notifications, Ms. MacDiarmid said. There is no evidence that any of the data were used for anything other than health research.
However, Ms. MacDiarmid defended the ministry's decision to fire the seven employees, suggesting the other incidents she could not yet discuss may have been more serious.
As a result of these events, the ministry is looking to improve information management procedures and has introduced a "mandatory privacy and data security training program for all employees" in addition to similar training all public servants receive, Ms. MacDiarmid said.
Ms. Denham's independent investigation will include these breaches as well as a "broader review of the ministry's data-handling practices in relation to research," she said in a statement on Monday. Her office will issue a public report with findings and recommendations in coming weeks.