British Columbia's Health Ministry must improve its personal privacy practices after three breaches that compromised the personal health information of millions of people, the province's privacy commissioner has found.
Elizabeth Denham ruled that there was a "lack of clear responsibility for privacy within the ministry" at the time of the breaches, she wrote in a report released Wednesday. She believed this was due, in part, to a lack of clear leadership and clarity of roles.
"Ministry privacy governance was further weakened by a complete lack of audit and review of employee and contractor functions relating to privacy," she wrote. "There were no mechanisms to ensure that researchers were complying with the privacy requirements, as stipulated in contracts and written agreements, and to ensure ministry employees were taking appropriate privacy training and following privacy policies.
"As a result, ministry employees were able to download large amounts of personal health data on to unencrypted flash drives and share it with unauthorized persons, undetected."
Two of the three breaches occurred in June, 2012. In one, a contracted service provider asked a ministry employee for a table that had two years of health information for each of the approximately four million people in B.C., for "testing purposes," according to the report. The information included personal health numbers (PHNs), the number of mental-health-service encounters and the number and length of hospital stays. The contractor requested PHNs be removed, however the ministry employee provided a flash drive with the information that included unencrypted PHNs.
In the second breach the same month, one ministry employee gave another employee – who was also an academic researcher – data from Statistics Canada's Canadian Community Health survey, which concerned individuals' mental, physical and sexual health, alcohol and drug use. The employee was not authorized to disclose such data. The ministry sent out notification letters to about 38,000 people whose information was compromised.
A third breach occurred in October, 2010, and also included a ministry employee giving a researcher personal data without authorization. This time, it included the health information – including PHNs, chronic disease diagnoses and pharmaceutical histories – of more than 20,000 people.
Such information is invaluable to health researchers, but personal health data must be managed securely, Ms. Denham wrote. She concluded her report with 11 recommendations, including that the ministry implement technical security measures to prevent unauthorized information transfer; create a program to monitor and audit compliance by employees and contracted researchers; and ensure employees with access to such databases participate in mandatory privacy training.
The ministry has accepted and will be implementing all of Ms. Denham's recommendations, newly appointed Health Minister Terry Lake said.
The unauthorized disclosures of personal information were discovered during an ongoing investigation into allegations of inappropriate conduct, contracting irregularities and data-management and research-grant practices involving ministry employees and researchers. Seven employees were fired last fall after the probe, then-health minister Margaret MacDiarmid said.