A number of human errors led to the privacy breach of personal health care information of vulnerable home care clients last summer, a CBC News investigation has revealed.
The CBC's investigation began long before yesterday's revelation that the personal health information of 620,000 Albertans was compromised after a laptop containing personal health information was stolen in September from an Edmonton Medicentre.
- Alberta laptop privacy breach prompts investigation
- Laptop stolen with health information of 620,000 Albertans
- Data encryption basics
Documents obtained by CBC through access to information indicate a client care manager left files containing the personal home care plans for two clients on the roof of her car before driving away on June 27, 2013.
'We do whatever we can to encourage organizations to report the individuals affected by a breach ... sometimes, we have to do quite a bit of cajoling.' - Brian Hamilton
The files included details about the clients' medical conditions, current home care orders, referral forms, and contact information.
According to AHS documents, the client care manager was authorized to transport the files, but breached policy by not securing them in a locked legal bag.
The manager was reminded of AHS privacy policies and ordered to review an on-line training video. The manager, then went on sick leave for a month.
Lost file recovered by house painter
In another incident on July 18, 2013, a courier hired by Revera Home Health services delivered care plans to four home care clients, but left the unsealed packages in mailboxes.
It was brought to the attention of Alberta Health Services when one of the clients complained.
The documents show at one point, officials even lost track of one of the files and launched a frantic search. In the meantime the rogue file was recovered by a house painter, who returned it to the upset family.
In a third incident on June 24, 2013, a home care worker employed by Bayshore Home Health brought her sister along while she worked in the homes of seven different clients, something documents indicate is strictly against company policy.
The home care worker said she brought her sister along because she was "lonely."
In each case, Alberta Health Services decided not to inform the clients whose health information was lost, or disclosed in error.
No obligation to inform patients
AHS is not obligated to report breaches, though the Office of the Alberta Information and Privacy Commissioner encourages AHS to inform all patients whose privacy has been breached.
Under the Health Information Act, custodians of health information are under no obligation to report a breach to the commissioner or to the people whose privacy was breached, said Brian Hamilton, director of clients and special investigations.
The B.C Freedom on Information and Privacy Association, formed in 1991 promotes increased access to public information, while promoting ways to protect personal privacy.
Most others provinces don't, making it a subjective decision of what to release and when.
Not informing the public of major privacy violations, undermines the trust of public institutions, said Vincent Gogolek, executive director of the non-profit organization.
"If some bad actor, inside their organization has access to all kinds of people's medical files and gives them to a motorcycle gang, or (identity) thieves, that we should find out about it ASAP."
Failure to do so, he said, compromises the trust Canadians have in their institutions.