Stolen laptop had health data for 80% of N.W.T. residents

A laptop stolen from a locked vehicle in Ottawa contained health-care information about more than 33,000 N.W.T. residents, according to the territory's health department.

Patients' names, birth dates, medical histories stored on unencrypted computer, officials say

Hands are seen typing on a keyboard
Health information of over 33,000 N.W.T residents was on a laptop stolen from a vehicle in Ottawa in May. (Jonathan Hayward/Canadian Press)

A laptop stolen from a locked vehicle in Ottawa contained health-care information about more than 33,000 N.W.T. residents, according to the territory's health department.

The laptop held data on patients and their health histories. It was stolen on May 9, but officials did not disclose the breach until Thursday; providing details in both a statement and teleconference. 

A total of 33,661 residents may have been affected by the breach, which included more than 45,000 entries of personal information, according to the Department of Health and Social Services. The N.W.T. has a population of about 41,800, according to 2016 census data. 

The data included names of patients, their birth dates, home communities and health-care numbers. Some patients' data may have also included their history of infectious disease, health conditions, immunization status and lab test results.

The data wasn't encrypted but officials said the computer had a strong login password and there isn't anything to suggest someone outside the government has accessed the data.

Bruce Cooper, the department's deputy minister, said the government is reviewing its policy toward protecting patient data. 

"Any time you have a critical incident occur, you have to stop, take stock and assess: Are there things that we could and should be doing differently?" he told reporters, adding that the government will examine whether it makes sense to store data in a secure cloud-based system, as opposed to individual laptops.

The information was gathered legally under the Public Health Act and was to be used for statistical analysis on the health of people living in the territory, according to the news release. The employee responsible for the laptop took it to Ottawa for meetings.

Announcement delayed

Though it's been nearly two months since the theft, the government said disclosing it was delayed in part by an investigation by the territory's health privacy officer. 

Damien Healy, a spokesperson for the health department, said in an email Thursday afternoon that the preliminary investigation concluded that "the device was in a secure compartment in a locked vehicle; it was protected by a strong password and the employee believed with reason the device was encrypted. 

"The investigation concluded the custodian had met the expectation regarding protection of this device," Healy wrote. "Important to note that this was the result of a theft and not as a result of an act of commission or omission."

Healy later told CBC News the employee still works for the territory. 

History of breaches

The Northwest Territories health system has a history of patient privacy breaches.

Between April 2016 and March 2017, Elaine Keenan-Bengts, the territory's information and privacy commissioner, investigated eight files under the Health Information Act, including three breaches of patient data.

In her latest annual report, Keenan-Bengts noted health information custodians were "far from compliant" with the act.

One of those cases involved dozens of patients in Inuvik whose health records were compromised. 

In 2014, a doctor at Stanton Hospital in Yellowknife lost a USB drive containing names, health-care numbers and personal medical information for more than 4,000 patients. That same year, the department mailed 195 health-care cards to the wrong addresses due to a spreadsheet error.

Encryption failed or missed

All devices supported by the territorial government's Technology Services Centre are supposed to be encrypted, the news release states. But the stolen laptop was a new device; the encryption process either failed or was missed. 

All of the other laptops and tablets have been checked and technical support staff are following up with any laptops that aren't connected to the system, the release said.

Cooper said that, in the aftermath of the theft, he emailed the department's entire staff and directed individual health authorities to review that all devices are encrypted.

  "Until we have certainty that encryption is in play universally, we don't want any mobile devices to leave the building," he said.