Nfld. & Labrador

Privacy breach no more: Eastern Health finds missing USB in file folder

Eastern Health says it’s found the missing USB flash drive containing thousands of employees’ personal information — it was in a file folder in the Human Resources Department the whole time.

False alarm cost Eastern Health more than $100,000

Eastern Health's Debbie Molloy apologizes for any stress the health authority has caused its employees. (CBC)

Eastern Health says it's found the missing USB flash drive containing thousands of employees' personal information — it was in a file folder in the Human Resources department the whole time. The mishap cost the health authority more than $100,000.

According to Eastern Health, an employee found the drive while she was doing some office tidying.

"She pulled a group of file folders out of the shelf and the USB drive fell onto the floor," said Debbie Molloy, interim vice president of human resources.

"We were so very relieved when we found the drive."

Molloy said they are not really sure how the drive got into that location and that they are still investigating employees' actions.

"We did search that office, but there are 50 to 60 workstations that people work in and there are literally thousands of files in that office," she said.

"We were actually hoping that it would turn up."

The health authority reported a privacy breach June 19 when a drive containing sensitive information of 9,000 employees went missing.

Eastern Health president David Diamond said they spent several days tearing apart their offices looking for the missing USB stick, which contained social insurance numbers, names, and employee numbers.

Eastern Health tasked 30 workers full-time to notify all the impacted employees of the breach. The extra labour, among other expenses, cost Eastern Health more than $100,000.

Now, the president of Eastern Health says there's no need for concern.

"Employees can now be assured that their personal information was not at risk and that no further action is required to protect them against identify theft," said Diamond in a release.

"We sincerely apologize for that. We certainly didn't want to put them through undue stress," added Molloy.

Eastern Health changing its privacy regulations

As a result of the incident, Diamond said that Eastern Health is strengthening its regulations around employee privacy. Social insurance numbers won't be used as an employee identifier, and any employee requesting information will first have to answer a number of security questions.

Eastern Health said it is developing a more strict USB and portable media devices policy, and has plans to upgrade its anti-virus platform so that USB drives will be automatically encrypted. 

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.