WorkSafeNB has sent out more than three thousand letters of apology over a serious privacy breach.
The agency provided a USB drive containing the names and health information of injured workers to a polling firm.
The drive was not password protected.
It happened when WorkSafeNB hired a private company to do a survey of injured workers in 2014.
'Where we failed was we gave them more information than what they needed.'
- Sonia Lanteigne, Associate Council, WorkSafeNB
"We communicated some information that was necessary for the firm to contact injured workers," explained Sonia Lanteigne, Associate Council at WorkSafeNB. "Where we failed was we gave them more information than what they needed to do the survey."
The information was given to Corporate Research Associates, a Halifax-based research firm.
Included on the USB drive were the names of injured workers, addresses and telephone numbers, all needed for the survey.
Personal information revealed
But also included were the dates of their workplace accidents, whether or not the WorkSafeNB claims were active, benefits end date, and the phone numbers of their employers.
After receiving a complaint from a worker, N.B.'s Access To Information and Privacy Commissioner, Anne Bertrand, investigated.
"The injured worker was quite surprised and upset to learn that what that person believed to be a marketing or survey company had information," said Bertrand.
Bertrand blasted WorkSafeNB in a report issued at the beginning of July.
Still, WorkSafe would wait three months before mailing out the apology to the workers affected, in a letter dated Oct. 28.
Since filing the report, Bertrand said she has worked with WorkSafeNB, and is confident the organization has learned from its mistake, and will not repeat.
For its part, Corporate Research Associates said it only used relevant information, and conducted the survey as asked, which was about perceptions regarding returning to work.
The company said it then deleted the information, as it normally does.
In its apology, WorkSafeNB assured the people affected their private information was not shared outside Corporate Research Associates, and has since been destroyed.