A laptop with the unencrypted personal health information of 620,000 Albertans was stolen last September, Health Minister Fred Horne announced Wednesday.
The laptop contained the names, dates of birth, provincial health card numbers, billing codes and diagnostic codes of the individuals seen at Medicentres between May 2, 2011, and Sept. 10, 2013. The computer was stolen on Sept. 26.
Horne said that he was informed of the theft on Tuesday, when he received a letter from the vice-president of Medicentres Family Health Care Clinics.
He has asked the privacy commissioner for an official investigation under the Health Information Act to find out why health officials have only just been told about the theft.
“On behalf of the citizens of this province, I am quite frankly, outraged that this would not have been reported to myself or my department sooner," Horne told reporters.
“The theft of personal health information of 620,000 fellow citizens is unacceptable in Alberta’s health-care system in any circumstance.”
Edmonton Police, the Alberta College of Physicians and Surgeons and the Alberta Medical Association have also been notified.
Check credit card statements
In a news release, Medicentres says they were told on Oct. 1 that the laptop belonging to an information technology consultant was stolen.
The release further states that police and the privacy commissioner were notified immediately. However, Edmonton police said the theft was reported four days later on Oct. 5.
"To date, Medicentres has no information to suggest that any of the personal information on the laptop has been accessed or misused," the news release states.
"Medicentres has already implemented a number of additional security measures and we are further auditing our security policies and procedures and are implementing further measures to ensure that personal information is further safeguarded."
The chief medical officer for Medicentres, Dr. Arif Bhimji, said the laptop was stolen in Edmonton.
The consultant had access to so much information because he was working on a database needed to submit claims to the Alberta government.
There was a delay in notifying the public because Medicentres was trying to figure out how to best do it, he said.
"We kept the privacy commissioner involved and advised of our progress over this period of time," Bhimji said.
"I wish we could have done it sooner, but this was the first time ever having to deal with this sort of situation and it took a lot longer than we would have liked it to take."
He is advising anyone who thinks that their information was stolen to check their credit card statements to make sure nothing is out of the ordinary.
Bhimji said Medicentres is now seeking answers on why the stolen laptop's data wasn't encrypted.
"We have certainly asked for a response to that question from our IT consultant, who we would have hoped would have understood that this would be an important privacy matter to be concerned," he said.
Bhimji declined to name the firm where the consultant works.
"We are terribly sorry that this has occurred. We regret that it has taken much longer than we would have liked to inform Albertans with respect to this and we truly do apologize for the inconvenience that some of these people are going to face and the concern that this is going to cause them."
Privacy boss to decide on investigation
Alberta privacy commissioner Jill Clayton is en route to Edmonton and will decide tomorrow whether to commence an investigation.
Brian Hamilton, director of compliance and investigations, said that his office had been urging Medicentres to make the theft public since October.
Horne said anyone who might be affected can lodge a complaint with the privacy commissioner.
“When first asked for my reaction about this I was speechless. I find it incredibly hard to believe that in a province such as Alberta that such an incident could occur," he said.
Opposition leader Danielle Smith of the Wildrose Party said it was inconceivable that it had taken so long for the breach to be made public and that the health minister wasn't notified sooner.
“Why did all of this information exist in a single file on a computer in the first place?” Smith asked.
“The requirement of the Health Information Act is that vendors are only supposed to access the amount of information that they need to provide the service and no more.”