Alberta Health Minister Fred Horne said Wednesday he is “outraged” a laptop containing key information on 620,000 patients was stolen four months ago but only now brought to his department’s attention.
The information includes unencrypted names, birthdates, health card numbers, billing codes, billing amounts and diagnostic codes for patients who were seen at Medicentre clinics around the province from May 2, 2011, to Sept. 19, 2013.
Horne said the laptop was stolen Sept. 26 and reported by Medicentre days later, on Oct. 1, to Alberta Privacy Commissioner Jill Clayton and the Edmonton police.
Horne, however, said he and his department were not told until Tuesday, when he received a letter from the vice-president of Medicentres.
“On behalf of the citizens of this province I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” Horne told a news conference at the legislature.
Horne said he has asked Clayton to investigate the matter under the Health Information Act to determine what happened and whether any breaches of privacy legislation have occurred.
“I will pursue this matter to the full extent of the law,” he said.
Medicentres operate a chain of primary care clinics.
Arif Bhimji, the chief medical officer for Medicentres, apologized for the information leak.
“Medicentres and myself are truly sorry for what has occurred,” said Bhimji in an interview.
Bhimji said they took what they felt were correct steps, by working with the government through the privacy office and reporting the theft to police. But he said in hindsight it would have been better to keep Horne in the loop.
“I’ve certainly learned that perhaps I should have included the minister at a much earlier stage,” said Bhimji. “It certainly was not our intention to cause the anguish that has been reported.”
Bhimji said they upgraded privacy safeguards.
Among other changes, all patient information is now encrypted; it is no longer put on laptops unless absolutely necessary; and fewer employees and consultants have access to patient data, he said.
He said Horne was notified of the breach Wednesday as part of the rollout of Medicentre’s public information campaign, which includes newspaper ads Thursday and a call centre to handle questions from patients.
“They [Horne’s office] chose to make the announcement a day earlier than we had planned,” said Bhimji.
Bhimji said the laptop has not been found but says no one has since used one of the stolen names to try to fraudulently get care at a Medicentre.
He said the stolen diagnostic codes would reveal a patient’s general ailment, but not details.
Clayton was unavailable for comment Wednesday.
Brian Hamilton, Clayton’s director of compliance and special investigations, said they have been working with Medicentres since the breach.
When asked why the privacy commissioner did not inform Horne’s office last fall, Hamilton said Clayton is duty bound and compelled by legislation to restrict the information to those directly involved.
“It wouldn’t be our practice to notify the minister unless the breach involved one of the ministry’s information systems,” said Hamilton.
Hamilton said they can urge a company to report a privacy breach to a government department, but can’t order it to do so.
He said Clayton would make a decision as early as Thursday on whether to launch an investigation.
Wildrose Party critic Kerry Towle said the issue raises larger concerns about Albertans’ privacy.
“[Albertans] have a right to expect immediate notification if their personal information has been compromised in any way,” said Towle in a news release.