Carelessness with portable storage devices has lead to personal health information being leaked on three separate occasions. During a press conference on Monday, Margaret MacDiarmid, British Columbia's Health Minister, said "there have been three instances of health data which has been inappropriately accessed and the public needs to be aware of these."
While sensitive information from millions of British Columbians has been leaked, there were no names attached to the data, according to the Ministry.
"Our policies do require that the USB sticks would be password-protected and encrypted if the are to be used to carry personal health information and this was not done," said MacDiarmid.
The announcement comes as an update surrounding the surrounding the Ministry of Health's investigation regarding misuse of personal health data that was first announced in September 2012. It involves allegations of inappropriate conduct, contracting and data-management practices involving former ministry employees, researchers and contractors.
"We understand that it's our responsibility to safeguard British Columbians' health information and we do take that extremely seriously," said MacDiarmid.
Two of the confirmed cases took place in June of 2012. The first case involved health data from 38,486 people being shared with an individual. This data included personal health numbers, gender, date of birth, postal codes and information linked from Statistics Canada's Canadian Community Health Survey. Even though person names, SIN numbers, street addresses and financial information weren't included, other things such as hospital admissions, discharges and medication history were included in the data.
"We have not found any evidence that any of this data has been used for anything other than health research," said MacDiarmid.
Because StatsCan Canadian Community Health Survey provided some of the information, the disclosure of this information breached an agreement between the ministry and Statistics Canada.
"In this particular case, the ministry is going to be sending personal letters to each of the individuals to inform them about what has happened with their information, and this direct notification is consistent with the recommendations that was sought from the office of the information and privacy commissioner," she said.
In the second case, 19 types of health data from over 5 million people that includes things such as health numbers, gender, age group, length of hospital stay and amount spent on various categories of health care was provided to a ministry contractor.
The contractor was authorized to see some information in a non-identifiable and or encrypted data from the ministry. However, this person instead received unencrypted and personally identifiable data instead.
The third case took place in October 2010. The data with personal health numbers and detailing diagnostic information for 262 chronic disease or conditions, including things like prescription history for certain drugs for approximately 21,000 people, was shared with a researcher without the data request being approved.
"It's important for me, to stress that in none of this three instances … there were no individuals' names attached to this information. There were no social insurance numbers and there was no personal financial information. This was never part of any of these data," explained MacDiarmid.
She also added that documents containing traditional medical files of any individuals were not obtained.
"The information that was accessed was formatted in data tables. In two of these cases, the information was saved in a format that would not readily available to individuals without a specific software program … it would be very difficult to match someone's personal health number to their identity based on the formation that was available."
However, MacDiarmid explained that she did not think it would be difficult for someone to get access to the computer software.
"I don't know how you would do it, but I don't think it's particularly difficult if the person has the knowledge and skill to do that. It's an open source software, as I understand it," she said.
However, according to MacDiarmid, the ministry is taking steps to ensure that something like this does not happen again.
As a result of the information being misused as well as the contracting issues and data management practices seven people have been let go from the ministry.
"Our rules or our laws already set a very high standard for protecting privacy, but we are looking at ways that we can enhance our data security procedures. Shortly after these events become known to us, we engaged a consulting firm, Deloitte, and they are reviewing our information management procedures and our practices. We've asked them to recommend ways that we might be able to improve them," explained MacDiarmid.
In order to prevent information being incorrectly distributed again, the Ministry has introduced data and security training programs that must be taken by all employees.
"This is in addition to the training which they would have already received, privacy and security training which is mandatory for all public servants," she said.
MacDiarmid would not get into the specifics of whose information could have been leaked.
Northern Health was not able to comment on whether any of the leaked information related to residents of the Peace Region and directed all questions towards the Ministry of Health.