Another damning report and a new set of privacy guidelines by Elizabeth Denham, British Columbia’s information and privacy watchdog.Denham delivered the results of her probe of the Ministry of Health’s massive privacy breaches on June 26, the very day British Columbia’s lawmakers returned to Victoria for their first sitting after the May 14 election.
Denham examined three breaches of personal health data, stemming from a scandal that began in May 2012 when information from every British Columbian’s health file was transferred via thumb drive to a contractor. The scandal also involves allegations of conflicts of interest in the Pharmaceutical Services Division.
“Personal health information is much more than ‘just data’ – it is sensitive information provided confidentially in the context of care,” Denham wrote.
“The Ministry failed to translate privacy and security policies into meaningful business practices. The primary deficiency at the Ministry was a lack of effective governance, management and controls over access to personal health information.”
“At the time the breaches occurred, there was a lack of clear responsibility for privacy within the Ministry. This was due, in part I believe, to a lack of clarity of roles and responsibilities following the centralization of some information access and privacy functions. Ministry privacy governance was further weakened by a complete lack of audit and review of employee and contractor functions relating to privacy. There were no mechanisms to ensure that researchers were complying with the privacy requirements, as stipulated in contracts and written agreements, and to ensure that Ministry employees were taking appropriate privacy training and following privacy policies.
“As a result, Ministry employees were able to download large amounts of personal health data onto unencrypted flash drives and share it with unauthorized persons, undetected.”
It is B.C.’s biggest privacy breach scandal, but it is not unique.
Via Freedom of Information, the government reluctantly provided me a list of 350 incidents from 2010 to 2012. They range from the ridiculous to the disgraceful. See the documents below. Listen to The CKNW AM 980 Investigators podcast, from June 18, 2013.
Have you been a victim of a government privacy breach? Contact me.