Information and Privacy Commissioner Frank Work is perplexed with news that two laptops containing health information stolen from Alberta Health Services (AHS) were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” says the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can’t provide security for personal information?”
Two laptops with health information of more than 300,000 people were stolen earlier this month. Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases.
The Commissioner says AHS did have layers of protection on those laptops, but the final layer simply was not there, and while the risk might be low, there is still a risk, “A person with motivation and sufficient skills could still access the information. Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough.”
Works says, “Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model, and an everyday occurrence, like making sure the door is locked before you leave home.”
The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work says, “We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again”.