Commissioner Concludes Investigation into Medicentres Privacy Breach

August 29, 2014

Medicentres Canada Inc. has been found in contravention of the Health Information Act (HIA) following an investigation by the Office of the Information and Privacy Commissioner (OIPC) into the theft of an unencrypted laptop containing health information.

Launched on January 23, 2014, by Information and Privacy Commissioner Jill Clayton, the investigation looked into the theft of a laptop containing billing information for 621,884 Albertans from an information technology (IT) consultant working for Medicentres.

The investigation found that Medicentres contravened the HIA by failing to consider privacy risks and by failing to take reasonable steps to safeguard health information on the laptop computer. Medicentres, acting as the physicians’ information manager, contravened the HIA by failing to implement these controls. Also, it did not provide guidance to the contracted IT consultant about the protection of health information.

At the time of this breach, the HIA did not require Medicentres to notify the Commissioner or affected individuals about a privacy breach. As well, the Commissioner did not have the power to require notification or set terms and conditions about the timeliness or form of notification.

While not required under the law, Medicentres followed OIPC guidelines in responding to a privacy breach; however, it spent considerable time doing so. The investigation report recommends changes to Medicentres’ breach response protocol to ensure that it includes timelines for notification.

The agreement between Medicentres and the physicians does not include any requirement that Medicentres report to the physicians about work it does on their behalf. As such, the physicians, who continue to be responsible for HIA compliance, were not informed by Medicentres about the breach until nearly four months after it happened. The report recommends the implementation of an internal governance mechanism to ensure the physicians are aware of and engaged in decisions Medicentres makes.

The OIPC received 23 complaints from individuals who were affected by this incident. These complaints were placed on hold pending the conclusion of the Commissioner’s investigation. As of this date, Medicentres has not indicated its acceptance of the investigation’s recommendations. As such, the matter remains unresolved and each complainant may ask that their complaint proceed to an inquiry.