When the B.C. government auctioned off data storage tapes that contained details of the medical status of thousands of people – including whether they are HIV-positive, mentally ill or considered fit for work – they really stepped in it. But, sadly, it could have happened anywhere.
“When you have a government body suffer a data breach like that, it is disturbing to say the least,” said Ross Armstrong, senior research analyst at Info-Tech Research Group of London, Ont. “Unfortunately, it is not an uncommon occurrence.”
Any health care organization, whether a clinic or a hospital, first and foremost has a duty to protect patient information, according to Armstrong. It is a concept that has existed for decades, long before the advent of the computers in the workplace.
In B.C., the Vancouver Sun reported that the tape containing the sensitive information was among a set of 41 high-capacity data tapes that were sold for $101 at a B.C. government public auction in Surrey in July 2005.
“It’s a crazy situation, and it’s made all the more crazy by the sheer fact of who the perpetrator is here – it’s the government,” Armstrong said. “Digitizing and making protected health information more portable means that obligation becomes that much more relevant.”
Both federal and provincial data privacy laws could have been breached, he said.
The Sun noted that the unauthorized disclosure of private information is an offence under the Provincial Freedom of Information and Privacy Act.
And in short order the B.C. Minister of Labour and Citizens’ Services, Michael de Jong, admitted that there had been a “screw-up.” De Jong, whose ministry oversees the auction process, told the legislature that B.C. has a comprehensive set of guidelines in place to govern how digital material is supposed to be secured and disposed of.
“My guess on how it happened, based on my experience and speaking with IT professionals, is that policy, a standard set of procedures that IT workers or whoever is in charge of data handling must follow when it comes time to reallocate resources, was just not followed,” Armstrong said.
An organization’s guidelines for performing a certain task should be repeatable and the same for everybody, according to Armstrong. “Obviously, policy was not followed in this case.”
“Any organization following data privacy best practices in general would have some kind of data sanitization policy, or hardware sanitization policy, in place so the appropriate individual signs off on it,” he said.
It is a real problem because it is the government that sets the standard for adhering to laws and it is also government that enforces the laws, according to Armstrong.
“The problem with health information is that very often the patient files will contain name, date of birth and social insurance number of a patient,” Armstrong said. “The patient’s actual medical condition notwithstanding, if that information becomes known somehow it’s embarrassing and it’s a violation of patient confidentiality.”
With respect to the first three pieces of information – name, DOB and SIN —those are all that an identity thief needs to get a credit card in somebody else’s name and that causes problems for the financial industry as well, he said.
“I don’t get the feeling that in this case the intent was malicious in any way. Somebody zigged when they should have zagged.”
IT equipment resale is a fairly common practice for organizations across all industries, whether it’s private or public, health care or public administration, according to Armstong. “Everyone is so concerned about costs that they will throw anything on eBay or for auction to reclaim a couple of bucks from it.
“IT budgets are usually pretty squeezed as it is. In the case of IT (departments) they are tasked to do more with less. It is always being demanded of them and it is one of the ways an IT manager, desperate to reclaim some of that budget money, can recoup costs.”
The bottom line is that the onus is on whoever is holding sensitive health care data, whether a health care organization or some other agency, according to Armstrong.
“If they cannot adequately ensure and guarantee these types of media are being properly sanitized, then they should be destroying them.” 061175
Brian Eaton (beaton@itworldcanada.com) is associate editor of InterGovWorld.com