North

5 takeaways from the N.W.T. stolen laptop health data breach documents

Here's a summary of some key findings from CBC's stolen laptop files series.

In case you missed the 3 stories in the series, here are a few takeaways

An unencrypted laptop belonging to an employee at the N.W.T. Department of Health and Social Services was stolen in Ottawa last may. (Benjamin Aubé/CBC)

This January, CBC News began looking into hundreds of pages of internal N.W.T. government documents and emails about a stolen laptop incident last year — which put at risk health data on nearly the entire territory's population.

Last May, the unencrypted laptop belonging to an employee with the Department of Health and Social Services was stolen from a locked vehicle in Ottawa.

The laptop, which was used for statistical analysis, has not been found.

CBC News filed an Access to Information request with the Health Department about the incident, which produced more than 350 pages of documents.

Here are some takeaways:

1. The scope was much larger

The number of people potentially affected is closer to 40,000, documents reveal. That's compared to the 33,661 people the government initially quoted last summer in a public announcement.

And health information on people from every province and territory in Canada may have been stored in the stolen laptop, according to the documents.

(CBC News Graphics)

Thousands of records were related to HPV vaccinations, C. difficile (colon infections), pap smears, whooping cough, blood tests for tuberculosis, sexually transmitted infections and antibiotic-resistant diseases, among others.

One data source that has 100 per cent of N.W.T. residents' demographic information may also have been on the laptop. 

That system is regularly updated and is "the most up-to-date source" for residents' names, dates of birth, communities of residence, sex, health-card numbers and "other important indicators," documents reveal.

2. Laptop was left in a busy, public area notorious for thefts

The documents reveal that the laptop was stored inside the health department employee's backpack, and placed behind the centre console of a rented Dodge Grand Caravan. 

The minivan was parked in an underground parking garage in ByWard Market in downtown Ottawa, according to documents.

The employee then had a busy night of searching public dumpsters, planters and even dark alleyways, she says in her initial report to the department.

That area of Ottawa sees a hundred thefts reported weekly, according to police quoted in internal emails.

3. Questionable privacy training at Health Department

Documents suggest the health department employee did not routinely permanently delete sensitive data files off the laptop.

The employee, a manager within the department, also received training on the secure use of portable devices and safeguarding health data just two weeks before the theft.

The documents show training for health department staff seems to be a recent and infrequent practice.

The chief health privacy officer says in an email that she "did not believe any privacy  training has been provided to date" by the previous officer, before she started her job in 2017.

The Health Department said it's taking steps since the theft to bolster its privacy training by 2020.

4. Encryption was 'very difficult,' so IT staff issued laptop without it

The laptop belonged to a group of about 20 to 40 devices piloted back in 2013. It was a Lenovo Helix tablet and laptop hybrid device, according to documents. 

Laurie Gault, the government's director for the Technology Service Centre, told CBC that IT staff were unfamiliar with encrypting tablets at that time. The centre is responsible for encrypting and issuing government laptops.

An N.W.T. government IT employee says the qualification of some IT staff and managers are questionable. (Chantal Dubuc/CBC)

Documents also reveal the government's encryption software was incompatible with the Lenovo tablet-laptop hybrid in 2013. 

"This particular device was very difficult to encrypt, so it was issued without encryption," says the N.W.T.'s chief health privacy officer in an internal email.

An IT worker who currently works for the government told CBC some IT staff and managers are not qualified to do their jobs.

Gault said she had "high confidence" in her IT staff.

5. The laptop will probably never be found

Ottawa police did not formally investigate the theft, according to internal emails.

Police told CBC the case was closed as there were no witnesses or video footage available from the area where the car was parked.

Emails say a constable told the department the laptop was "likely sold for a small sum" and was "likely wiped clean."

"No investigation was assigned," states an internal email. "With no leads, the case has been closed."

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.