Commissioner orders stronger IT data protection
The theft of a laptop from a SickKids physician containing the personal health information of 2,900 patients has resulted in a swift order from Ontario’s Information and Privacy Commissioner, Ann Cavoukian.
Cavoukian has ordered the Hospital for Sick Children in Toronto to implement specific protection mechanisms, including the encryption of any personal data that is taken off-site on a laptop or remote computing device.
The incident occurred on January 4 when a physician, who is also a researcher at the hospital, took the laptop home with him to analyze.
However, prior to going home, he parked his minivan in a downtown Toronto parking lot, leaving the laptop under a blanket between the van’s front seats. Upon his return he discovered the front passenger window broken and the laptop stolen.
Stored in the stolen laptop was personal health data that included patients’ names and information relating to their medical conditions.
Cavoukian did not mince words in her Commissioner’s Message contained in the order.
“There is no excuse for unauthorized access to personal health information due to the theft or loss of a mobile computing device – any personal health information contained therein must be encrypted.”
Cavoukian emphasized that when personal health information must be stored on portable electronic devices that only the minimum amount of information necessary should be stored, and for the least amount of time necessary.
“At a minimum, files or folders containing personal health information must be encrypted. It is essential to use up-to-date encryption techniques to ensure that personal health information is appropriately secured.”
Provisions in health order HO-004 that the commissioner issued today under the Personal Health Information Protection Act (PHIPA) include:
– SickKids must develop and implement a comprehensive corporate policy that prohibits the removal of identifiable personal health information in electronic form from the hospital premises. In the event that personal health information in identifiable form needs to be removed in electronic form, it must be encrypted.
– The hospital must also develop and implement a hospital-wide endpoint electronic devices policy, applicable to both desktop and portable devices (laptops, PDAs), which mandates that any personal health information not stored on secure servers must either be de-identified or encrypted.
Cavoukian’s message was not intended only for SickKids, she said. The commissioner is urging all health information custodians to regularly review their security and privacy policies relating to how health information on mobile computing devices is stored.
In a statement released from SickKids, the hospital noted its staff were working in full cooperation with the Information and Privacy Commissioner in an independent review of the incident.
The hospital said it was notifying patients who had participated in 10 different research studies about the stolen laptop.
According to a statement, the laptop was password-protected and SickKids said it was unlikely the data could be easily understood by someone who lacked clinical training.
Notification letters were sent to study participants who were active patients, added the statement. In certain circumstances, patients were notified in person at clinic appointments.
The hospital said it was pleased to be working with Cavoukian on a review of applicable policies and practices to ensure appropriate privacy and security safeguards were in place and that these were clearly and consistently communicated to hospital staff.
Related content:
Privacy watchdogs flag new crime of the century
Health care pros debate interoperability standards
Does technology enabled health care need a reality check?