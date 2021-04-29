A privacy breach that saw the personal health information of thousands of children with disabilities accidentally shared could have been prevented if action had been taken following a similar error just days earlier, Manitoba's ombudsman's says.

On Aug. 26, 2020, an employee at Children's Disability Services sent out an email containing the personal information of 8,900 kids receiving the agency's services.

The message was only supposed to go to the Manitoba Advocate for Children and Youth, but about 100 service agencies and community advocates were accidentally blind copied.

While the email was encrypted, a password was sent out to the same large group moments later, disclosing information including children's names, dates of birth and addresses, and details about their diagnoses.

The incident was quickly referred to the Manitoba ombudsman, as is standard practice, the province said at the time.

"This privacy breach … was unprecedented in its scope for this province," Manitoba ombudsman Jill Perron wrote in a final report into the incident released on Thursday.

"When those affected are vulnerable children and youth, the impact of a privacy breach of sensitive personal health information for those children and their families can be devastating."

Perron's report found that someone at the disability services agency made a nearly identical mistake 13 days earlier — except that time, no personal information was disclosed.

That error resulted in one of the agencies that was accidentally copied on the email writing back "almost immediately" to let the sender know what they'd done, which "should have been a red flag that information was sent to the wrong people in error," Perron wrote.

"We find that this represented a significant missed opportunity … for program management to identify and stop the blind copying of the agency service providers and community advocates on email messages" sent to the youth advocate's office, Perron said.

"If identified and corrected, it may have prevented the error from recurring on August 26, resulting in the unauthorized disclosure of client personal health information."

The ombudsman's investigation found the breach was unintentional and the providers that accidentally got the private information acted quickly to destroy it.

It also found that while the province's Families Department took appropriate action to respond to the breach, it didn't fully implement privacy policies and procedures or pledges of confidentiality required by the Public Health Information Act.

The report made nine recommendations to Manitoba Families for how to strengthen its policies and procedures around privacy obligations, all of which were accepted, the report said.

The ombudsman will follow up in 2022 to make sure those steps are taken.