EDMONTON – An investigation by the privacy commissioner into the January theft of a laptop containing details of nearly 622,000 Albertans found Medicentres Canada Inc. was in contravention of the Health Information Act.
The investigation was launched on January 23, 2014, after it was revealed a laptop containing the name, date of birth, provincial health card numbers, billing codes, and diagnostic codes of 621,884 Albertans was stolen in Sept. 2013.
Medicentres was notified on October 1, 2013, that a laptop belonging to an IT consultant working for the company was stolen.
Alberta’s health minister wasn’t informed until late Jan. 2014.
“I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” said Fred Horne at the time.
The privacy commissioner’s investigation found Medicentres failed to consider privacy risks and failed “to take reasonable steps to safeguard health information on the laptop computer.”
It also found the company “did not provide guidance to the contracted IT consultant about the protection of health information.”
Medicentres said the IT consultant was working on an app at the time of the theft.
The investigation found that Medicentres followed Office of the Information and Privacy Commissioner (OIPC) guidelines in responding to the privacy breach, but “it spent considerable time doing so.”
The report recommends changes to Medicentres’ breach response protocol to include “timelines for notification.”
In addition, the report recommends the company make changes to make sure doctors know about decisions Medicentres makes. Currently, the agreement between the company and its physicians doesn’t require Medicentres to notify the physicians about work it does on their behalf.
In the case of the stolen laptop, physicians were not told about the breach until nearly four months after it happened.
The OIPC received 23 complaints from people who were affected by the theft. The complaints were put on hold until the results of the privacy commissioner’s investigation.
As of Friday, Medicentres has not indicated it accepts the report’s recommendations.