Huge potential privacy breach exposes Nunavut’s lax file management
Privacy commissioner reports thousands of medical files may have gone missing
Thousands of records containing the private clinical information of Nunavut residents treated at the Qikiqtani General Hospital in Iqaluit may have gone missing more than a year ago, but the Department of Health decided not to notify the public about what could be a massive information and privacy breach.
That’s because health officials now say they aren’t sure the files are actually missing.
According to a review from the Information and Privacy Commissioner of Nunavut, provided to Nunatsiaq News, the Government of Nunavut’s health department reported on Nov. 9, 2016 that they lost a box containing between 2,000 and 2,500 patient documents from Iqaluit’s Qikiqtani General Hospital.
It was one of 18 boxes of sensitive patient information that were labeled “confidential,” and apparently shipped by air on Canadian North from Iqaluit to Rankin Inlet on June 13, 2016.
The health department said paper files are periodically sent by air cargo to the Nunavut Health Insurance office in Rankin Inlet to be inputted into an electronic database called “Medigent.” This procedure has been standard since 1999.
The Medigent system is used by the Nunavut Health Insurance program for financial management and billing, but is not used to compile or transfer patient diagnoses, treatment or care information.
The Department of Health could only provide a “broad description” of the missing records as “inpatient and outpatient service reports, patient demographics and clinical information,” because the records themselves had never been catalogued.
More than a year after the box was first reported missing, the Department of Health said it now believes this box may have never existed since records showing the number of boxes, and the files inside them, are largely absent.
In other words, it’s possible only 17 boxes were shipped from Iqaluit to Rankin Inlet last spring, not 18. The problem is, no one in the health department knows for sure.
Here’s the other problem: if there is a missing box, there is no record of what was in it, so it’s unclear how many Nunavummiut could be affected—or even what personal data was compromised—said Nunavut’s privacy commissioner, Elaine Keenan Bengts, who reviewed the privacy breach.
Based on what the Department of Health first reported, Keenan Bengts speculated that the lost documents could include: the physical and mental status of individuals; their lifestyle and behavior; health conditions and concerns; history of health care procedures and medication use; specific medical tests; and, possible family medical history.
“These are significant harms,” Keenan Bengts wrote. She added that it is “less likely” that the missing records would contain any financial information, such as credit card numbers.
“In my view, the information contained in the lost records includes sensitive identity, contact and health information that could, potentially, be used to cause the harms of identity theft and fraud,” she said, “as well as hurt, humiliation and embarrassment.”
Another problem, she said, was that the Department of Health, “has absolutely no idea whose information is contained in the missing box,” and as a result, “they are unable to notify the specific individuals affected.”
In March of this year, eight months after the box went missing, the commissioner called on the health department to issue a general news release notifying Nunavummiut about the lost data, and to be as specific as possible about what kinds of records were misplaced.
In a letter to the privacy commissioner, dated April 13, 2017, Nunavut Health Minister, George Hickes, wrote “the Department of Health will begin the work necessary to issue a public service announcement about this incident.”
Hickes added that “it will take some time to identify the resources in order to appropriately respond as per your recommendations.”
But health officials now claim the “18th box” may never have existed, due to poor record keeping at the time of shipping. A department spokesperson said subsequent searches at multiple cargo warehouses across Nunavut turned up nothing.
Because of the inconclusive nature of the loss, health department officials changed their minds and decided not to tell the public through a news release, said Nadine Purdy, health communications manager, Sept. 25.
“It remains unclear if a breach had actually taken place, because we were unable to confirm if a box was missing, or if it was the result of an administrative error,” Purdy said.
In light of the obvious vulnerability of Nunavut’s medical file transfer system, Keenan Bengts is calling on the Department of Health to develop new procedure guidelines for the transfer of sensitive documents—such as numbering individual boxes to ensure they all arrive at their destination, and sending fewer boxes at a time.
Offices at either end of the record transfer should also have “clear communication” with one another, she said.
Individual records should also be catalogued, prior to being shipped, so the Department of Health is aware of what is being sent, the commissioner recommended. At the very least, the dates of the files should be noted before shipment.
According to the commissioner’s 2016-17 annual report, the Department of Health accepted all recommendations stemming from the material breach, but the details of how file transfer procedures may have changed is unclear.
Hickes was unavailable for comment before our press time Sept. 25, but we have requested more detailed information on any protocol changes the health department has implemented.
Reports of the breach follows a special audit of the Qikiqtani General Hospital by the privacy’s commissioner in 2016.
Keenan Bengts slammed the hospital for other possible information breaches—computers with sensitive patient data left idle in public areas, and printers and fax machines placed along public hallways.
Physical medical records were also protected by “lackluster security,” the commissioner said, and there was no security in place to prevent employees from “unofficially” accessing their own medical data, or those of others.
The Department of Health accepted all 31 recommendations from the privacy commissioner stemming from that report.
Nunavut’s Information and Privacy Commissioner is an independent officer of the Legislative Assembly of Nunavut who reports on Nunavut’s ability to provide access to government information and to protect privacy of its citizens, as outlined in the Access to Information and Protection of Privacy Act.
The privacy commissioner can only make recommendations to the Nunavut legislature, but cannot compel action.