Capital Health Did Not Properly Safeguard Health Information on Stolen Laptops

November 13, 2007

Information and Privacy Commissioner Frank Work is disturbed by the amount of mobile computing devices stolen or lost without reasonable security measures being taken. The laws require reasonable security measures and Work says organizations are in breach of this when they fail to encrypt health or personal information stored on mobile computing devices.  He feels the time has come for organizations to pay attention to the issue.

Work says a layered defense strategy is required, which must include properly implemented encryption. “We have said time and again that organizations must encrypt health or personal information stored on mobile computing equipment. It doesn’t matter if the mobile device is password protected, or even double password protected, there must be another layer of protection and that layer is encryption. It is unbelievable that after a number of high profile incidents in the past, organizations are not getting it”.

Work also notes the significant resources expended by organizations to provide notice to affected individuals following a breach of privacy.  He says that properly implemented encryption reduces the risk to individuals such that providing notice to affected individuals would not normally be necessary.

Work’s comments came after an investigation by the Office of the Information and Privacy Commissioner (OIPC) determined that Capital Health contravened the Health Information Act (HIA) when it did not maintain adequate safeguards to protect health information stored on laptop computers. The laptops were stolen from a Capital Health facility in May of this year.

The investigation outlines the following steps that must be taken to protect health information stored on a mobile device in order to meet requirements of the HIA:

  • There must be policies and procedures that users are aware of and educated on that guide proper use of the device,
  • Reasonable steps must be taken to physically secure the device,
  • There must be a business need to store health information on the device,
  • The device must be password protected, and
  • Health information stored on the device must be protected by properly implemented encryption.

The specific recommendations to Capital Health, which have all been agreed to, are:

  • Capital Health proceed immediately with its plan to issue a Request for Proposals and select an appropriate encryption solution and begin implementation on a priority basis
  • Capital Health ensure its plan includes identification and proper implementation of encryption on all types of mobile devices that contain personal or health information,
  • Capital Health provide OIPC with a detailed implementation plan that includes aggressive targets and timelines, and
  • Capital Health review and revise as necessary its incident response procedure, and in particular, its process of notifying affected individuals about privacy breaches.