Skip to main content

The Globe and Mail

B.C. Health Ministry told to strengthen privacy practices

Elizabeth Denham says the B.C. Health Ministry must do more to protect personal information.

Adrian Wyld/Canadian Press

British Columbia's Health Ministry must improve its personal privacy practices after three breaches that compromised the personal health information of millions of people, the province's privacy commissioner has found.

Elizabeth Denham ruled that there was a "lack of clear responsibility for privacy within the ministry" at the time of the breaches, she wrote in a report released Wednesday. She believed this was due, in part, to a lack of clear leadership and clarity of roles.

"Ministry privacy governance was further weakened by a complete lack of audit and review of employee and contractor functions relating to privacy," she wrote. "There were no mechanisms to ensure that researchers were complying with the privacy requirements, as stipulated in contracts and written agreements, and to ensure ministry employees were taking appropriate privacy training and following privacy policies.

Story continues below advertisement

"As a result, ministry employees were able to download large amounts of personal health data on to unencrypted flash drives and share it with unauthorized persons, undetected."

Two of the three breaches occurred in June, 2012. In one, a contracted service provider asked a ministry employee for a table that had two years of health information for each of the approximately four million people in B.C., for "testing purposes," according to the report. The information included personal health numbers (PHNs), the number of mental-health-service encounters and the number and length of hospital stays. The contractor requested PHNs be removed, however the ministry employee provided a flash drive with the information that included unencrypted PHNs.

In the second breach the same month, one ministry employee gave another employee – who was also an academic researcher – data from Statistics Canada's Canadian Community Health survey, which concerned individuals' mental, physical and sexual health, alcohol and drug use. The employee was not authorized to disclose such data. The ministry sent out notification letters to about 38,000 people whose information was compromised.

A third breach occurred in October, 2010, and also included a ministry employee giving a researcher personal data without authorization. This time, it included the health information – including PHNs, chronic disease diagnoses and pharmaceutical histories – of more than 20,000 people.

Such information is invaluable to health researchers, but personal health data must be managed securely, Ms. Denham wrote. She concluded her report with 11 recommendations, including that the ministry implement technical security measures to prevent unauthorized information transfer; create a program to monitor and audit compliance by employees and contracted researchers; and ensure employees with access to such databases participate in mandatory privacy training.

The ministry has accepted and will be implementing all of Ms. Denham's recommendations, newly appointed Health Minister Terry Lake said.

The unauthorized disclosures of personal information were discovered during an ongoing investigation into allegations of inappropriate conduct, contracting irregularities and data-management and research-grant practices involving ministry employees and researchers. Seven employees were fired last fall after the probe, then-health minister Margaret MacDiarmid said.

Story continues below advertisement

Report an error Licensing Options
About the Author
News reporter

Based in Vancouver, Andrea Woo is a general assignment reporter with a focus on multimedia journalism. More

Comments

The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

Please note that our commenting partner Civil Comments is closing down. As such we will be implementing a new commenting partner in the coming weeks. As of December 20th, 2017 we will be shutting down commenting on all article pages across our site while we do the maintenance and updates. We understand that commenting is important to our audience and hope to have a technical solution in place January 2018.

Discussion loading… ✨