The Office of the Information and Privacy Commissioner has found that the Calgary Health Region contravened the Health Information Act (HIA), following an investigation into the theft of a laptop computer. The laptop contained a database of more than 1,000 children in a mental health care program, including patient history and treatment details.
Key findings included:
- The Health Region had policies in place that would have protected the stolen laptop and the information it contained, but those policies were not fully implemented by the Collaborative Mental Health Program.
- A copy of the entire database was stored on the stolen computer, increasing the number of people affected. Program workers should only have copied the files they needed, rather than the entire database.
- While the laptop was protected by passwords, this was not adequate given the nature of the information it contained
- A knowledgeable and motivated individual could access the data with tools that are readily available on the internet.
- While the risk of identity theft from the information is low, it cannot be ruled out.
- Encryption technology would have protected the lost data, but it was not implemented.
The CHR informed the Commissioner’s Office of the incident on its own initiative, took immediate action to notify affected individuals and has since implemented measures to secure mobile computers. The Health Region also agreed to follow our Investigator’s recommendations.
Investigator Brian Hamilton says, “For the most part the Calgary Health Region does a good job protecting information, and has been taking steps to improve security. Unfortunately, they failed to recognize and address the risks of mobile computing in this program area.”
Others can learn from this investigation. The Office of the Information and Privacy Commissioner urges all HIA custodians, public bodies and private sector organizations to follow these recommendations for mobile computing:
- Perform a Privacy Impact Assessment (or a security risk assessment) before implementing mobile computing.
- Do not store personal or health information on mobile computing devices unless you need to – consider technologies that allow secure, remote access to your network and data instead.
- If you must store personal or health information on a mobile device, use encryption to protect the data – password protection alone is not sufficient.
- Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
- Periodically check your policies against practice to ensure they reflect reality and remain effective.
- Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.