B.C.'s Health Ministry must improve privacy controls following three massive data breaches involving the personal records of millions of British Columbians, a report from the province's privacy commissioner concludes.
The privacy breaches came to light last year when then-health minster Margaret McDiarmid revealed seven ministry employees had been fired or suspended for allegedly passing the personal health records of millions of British Columbians to contracted researchers on unencrypted computer memory sticks and flash drives.
- B.C. health officials fired over access to medical records
- Fired manager sues over health data investigation
After the breaches were discovered, seven Health Ministry employees were fired or suspended for the alleged misuse of personal health-care data. At least one of those employees launched a lawsuit against the government.
In her report on the breaches released on Wednesday morning, B.C. Privacy Commissioner Elizabeth Denham found "serious deficiencies" in the Health Ministry's privacy practices and a lack of reasonable security.
'Ministry employees were able to copy a large volume of personal health data onto unencrypted flash drives and share that data ... undetected.' —Elizabeth Denham, B.C. privacy commissioner
"The lack of operational and technical safeguards led to a situation in which ministry employees were able to copy a large volume of personal health data onto unencrypted flash drives and share that data with other parties, undetected," said a statement issued by Denham.
The investigation found that at the time the breaches happened, the ministry didn't have reasonable security in place to protect personal information as required by Section 30 of the Freedom of Information and Protection of Privacy Act.
However, the ministry's response to the data breaches, once discovered, did comply with the act, Denham noted.
The commissioner made 11 recommendations to improve the ministry's privacy practice and promised to follow up with the ministry to ensure the recommendations were addressed.
"Privacy and research are allies, not adversaries, in the pursuit of better health outcomes," said Denham.
7 employees fired or suspended
The investigation into the privacy breaches was launched in March 2012, after the auditor general received a tip that employees at the Pharmaceutical Services Division of the ministry were allegedly accessing and disclosing personal health records.
In September, the Health Ministry investigation concluded an employee had provided a contracted service provider with unauthorized access to the personal health records.
The data included the health numbers of four million B.C. residents, the number of mental health service encounters they had, whether the person had diabetes, the number of hospital stays and all the services billed for that person.
The report found the contractor had asked for the personal health numbers to be deleted from the data, but the employee who provided the information failed to do that.
Further investigations by the Health Ministry and the commissioner revealed two other similar incidents.
In the second instance, an employee provided an external researcher with the health numbers, age, and chronic disease registries of about 20,000 people.
In the third instance, another Health Ministry employee gave data collected under the Canadian Community Health Survey by Statistics Canada, including MSP billing records, hospital discharge summaries, PharmaCare prescriptions and other information to another Health Ministry employee, who wasn't authorized to receive it.
The commissioner noted unencrypted portable data storage devices were used in all three instances to transfer the data.
Tighter security recommended
The report made 11 recommendations to improve the security of health-care databases, including tighter rules on the use of portable data storage devices, conducting an inventory of all databases and tightening access to them, and clarifying data access in contracts with external researchers.
The report noted the Health Ministry had already undertaken several actions, including launching an inventory of databases and who has access to them, putting more databases inside existing systems designed to protect privacy and increase security, closer monitoring of the release of data to contracted researchers, increasing the monitoring and training of employees and establishing a chief privacy officer within the ministry
Following the report's release, Health Minister Terry Lake said all of the recommendations would be implemented.
"As minister of health, I take the responsibility to safeguard British Columbians' personal health information very seriously. The ministry will be accepting and implementing all of the commissioner's 11 recommendations," he said.
Lake also said that the ministry had hired a private auditor to conduct a review of the ministry's practices.
"Late last year, we engaged the firm Deloitte to do a review of ministry data security practices. Much of what the commissioner suggests matches the 10 recommendations from Deloitte's review. We also have accepted Deloitte's recommendations in full, and have already acted on a number of them."