Unsecure faxes put health data of Albertans at risk
Faxes less secure than encrpted email, privacy office says
Entering incorrect telephone numbers into fax machines is being blamed for more privacy breaches of personal health information by Alberta Health Services.
"It's surprising," Brian Hamilton, with the Office of the Alberta Information and Privacy Commissioner, said during an interview. "The health sector in particular, spends millions of dollars on information systems with secure access, and yet people keep faxing."
Sending personal information by fax is a less secure method of transferring information compared to encrypted emails, he said.
- Privacy breaches in Alberta health care system not new
- Alberta laptop privacy breach prompts investigation
- Interactive: Data encryption basics
Documents obtained by CBC News through access to information show that Alberta Health Services were regularly sending faxes intended for Strathcona Home Care to a custom home builder in Sherwood Park over a two-year period.
The information contained the names of clients and their health condition.
At one point the builder was receiving as many as one fax each week.
'Stop faxing us'
Despite repeated calls, the faxes continued until company owner Dianne Ingram sent AHS a fax of her own.
She scrawled, "You have the wrong fax number!! Stop faxing us!!."
That got the attention of managers at AHS, who discovered the source of the problem — an employee inadvertently entering the builder's number into the fax machine, a number one digit off the number of Strathcona Home Care.
While AHS has strict policies about what can be faxed, people make mistakes, said Dr. Verna Yiu, with AHS.
"We do rely on cooperation of the recipient to let us know that, and I would have to say that in general people are pretty co operative about that."
In another example, a wound care plan of a home care client, intended for Boardwalk Centre — a downtown Edmonton apartment complex offering assisted-living suites — was faxed to the Sherwood Park company FlawSpec Manufacturing.
The company returned the documents to AHS in an envelope.
In this case, documents reveal the AHS employee was given the incorrect number by the intended recipient, but in neither example did AHS inform the patient their private health care information had been disclosed.
Manager resists revealing breach to patient
Patients often go uninformed when their information is disclosed.
The documents show on one occasion a home care manager with AHS resisted informing the patient of a breach, telling her supervisor, "I am not comfortable calling this person and informing them. I have never had to do this before.
"I am not understanding why I would disclose in this case versus the other exact same case I had in the past."
While AHS is not obligated to report breaches, Hamilton said his office encourages AHS to inform all patients whose privacy has been breached.
Alberta's information and privacy commissioner Jill Clayton launched an investigation last month into he loss of a laptop containing birth dates, health card numbers and billing codes for 620,000 Albertans.
It's believed the laptop was either lost or stolen from an Edmonton Medicentre in September of 2013.
Clayton's probe will also include a broader review of how privacy breaches are reported in Alberta.
A CBC investigation earlier revealed personal health care information including care plans and medical conditions of vulnerable home care clients were lost last summer, because of employee mishaps such as leaving files on top of a car, then driving away.