Your medical records are not safe, and we are a bunch of buffoons: that is the message the territorial government offered its citizens last week after a man found stacks of confidential health records at the dump.
Randal Sibbeston found the banker’s box full of medical records at the Fort Simpson landfill, we reported last week. They contained social insurance numbers, prescriptions, mental health histories and other bits of personal information.
It was the latest incident in what has been a boom time for the exposure of personal information by the Department of Health and Social Services, characterized by a steady drumbeat of data breaches.
In May, a laptop with more than 33,000 medical records containing information on about 80 per cent of NWT residents was stolen from a parked car in Ottawa. In 2016, the Beaufort Data Health and Social Services Authority confirmed the medical records of 67 patients had been compromised. In 2014, a doctor at Stanton Territorial Hospital lost a USB stick containing the medical records of about 4,000 people. In 2012, the government mistakenly faxed medical records to the CBC.
Data breaches are an almost annual occurrence for the health department and it should be noted that in this era of high anxiety surrounding digital security, these slip-ups have been embarrassingly analogue.
Our breaches are not orchestrated by nefarious companies, such as Cambridge Analytica, nor are foreign hackers out to steal our sensitive medical records in an effort to undermine the nation’s democratic institutions.
No. Our breaches are almost refreshingly folksy. They involve people who leave expensive computers in vehicles (never a good idea), who misplace their thumb drives (happens to the best of us) and who don’t know how to use a fax machine (it is the 21st century, who even faxes anymore?).
It is almost if the classic Sesame Street character Forgetful Jones were running the health department. Jones was so named as he always forgot everything. He had two horses, Buster and Buster’s brother Whatshisname.
Fortunately, it would appear that another classic Sesame Street character named Mr. Lucky, whose karmic fortitude ensures things work out for him, is also with the GNWT because the results of these breaches have been relatively inconsequential.
The USB stick was eventually found, the CBC faxed the records back and Sibbeston had the wherewithal to take the data and call the proper authorities.
The medical records of the 134 individuals impacted by the breach have been turned over to NWT Privacy Commissioner Elaine Keenan Bengts and the Northwest Territories Health and Social Services Authority (NTHSSA) has begun notifying patients whose records were found.
Sibbeston should be commended; a less scrupulous person might have read through the records, used them for kindling or worse.
Health Minister Glen Abernethy has also been lucky. He was recently lambasted in the press and legislative assembly after a report from Canada’s Office of the Auditor General outlined the failures of the territory’s child and family services.
In the wake of the report, a number of MLAs called for Abernethy to resign and he barely survived a non-confidence vote in the legislative assembly on Oct. 31 by an 11 to 7 margin.
How would’ve Abernethy fared if Sibbeston had found the records prior to the vote and not after? Mistakes happen and data is misplaced but the Department of Health and Social Services is obviously struggling to implement the Health Information Act, which was enacted in 2015 and outlines how a person’s medical records are collected and protected.
After the breach in 2016, the department was supposed to give all staff privacy training but in July we reported that only 30 to 50 per cent of employees had finished the training.
The government needs to do something to restore its tattered credibility.
Abernethy and the other highly paid personnel who have been entrusted with our medical records need to renew their dedication to privacy and this latest blunder requires a detailed investigation and a public explanation.