CLASSIFIEDSADVERTISINGSPECIAL ISSUESONLINE SPORTSOBITUARIESNORTHERN JOBSTENDERS

NNSL Photo/Graphic


Home page text size buttonsbigger textsmall textText size Email this articleE-mail this page

Stanton steps up patient privacy
New measure in place at hospital one year after USB with 4,000 patients' information goes missing

James Goldie
Northern News Services
Monday, December 7, 2015

SOMBA K'E/YELLOWKNIFE
It's been one year since a USB drive containing the personal information of more than 4,000 patients was lost at Stanton Territorial Hospital and, according to hospital administration, measures are now in place to mitigate a similar incident from ever happening again.

NNSL photo/graphic

Sue Cullen, interim CEO of Stanton Territorial Health Authority, said encrypted technology is now being used any time doctors or hospital staff are transferring patients' information. The change is one of several new security protocols implemented in the wake of a privacy breach one year ago, in which an unprotected USB containing patient information was misplaced by a physician. - James Goldie/NNSL photo

The incident last November prompted an investigation by the Northwest Territories Information and Privacy Commissioner, Elaine Keenan Bengts. Her July 13 report stated the USB was eventually recovered Dec. 8 of last year after a staff member had found the item in the parking lot several weeks earlier, forgot about it, then opened the drive on a computer after a household member's prompting.

The staff member, the report states, recognized the content and returned the item immediately.

This was after the USB drive had been missing since Nov. 7, 2014, and letters had gone out to patients whose confidentiality was at risk of being breached.

Keenan Bengts praised the Stanton Territorial Health Authority for "the way in which it dealt with the incident in an open, transparent and timely matter."

The health authority reported the item missing publicly Nov. 27, 2014.

But her investigation also pointed to "some significant process and policy gaps" and described the incident as "entirely preventable."

The report states there was already a policy in place requiring staff to safeguard confidential data stored on electronic devices. The policy was established in May of that year, states the report, and required the device containing confidential information be stored in a secure location and that confidential material be deleted prior to removal from an office.

"These directives, if followed, should have been effective to avoid an incident such as this one ... however, policies are only effective if they are followed," she said.

Sue Cullen, interim CEO of Stanton Territorial Health Authority, welcomes the challenge.

"We are faced with an issue we really embrace and really want to take a quality approach to it," said Sue Cullen.

"We agree with her recommendations and therefore are working to actually provide those responses," Cullen said. "It really provided the opportunity for us to step back and say we need to make sure that we are ensuring that staff understand ... that patient privacy is maintained."

The bulk of the data on the USB drive were names, dates of birth and health card numbers, although the detailed personal health information of at least 56 patients was also contained on the drive.

"That was being transferred to a server and so we don't want to have information like that on an unencrypted device," said Cullen, who was appointed interim CEO in September, referring to the fact the USB drive had no password protection or other security functions.

"We've actually provided encrypted USB devices to staff. We've encrypted laptops as well for travelling physicians and staff, and we've also provided VPN or virtual private network access for physicians who do travel clinics."

Virtual private network access is a method of providing secure Internet access to a remote computer.

"The good news is that, in the end, the breach was far less significant than it could have been," wrote Keenan Bengts. "The bad news is that this outcome was entirely a matter of good luck rather than good planning or good management."

The health authority has already begun implementing all of the commissioner's recommendations. Cullen said contract doctors (or "locums") receive information about privacy and security during their orientations at the hospital. The same applies to all new permanent doctors and staff members.

Leigh Wells, co-ordinator of communications policy and planning at Stanton Territorial Hospital, said there had never been a personal information breach of its size prior to the USB loss.

"It was a first time for us," she said.

Her report includes a number of recommendations including internal spot audits of various departments handling patient information, additional training, regular messaging about security protocols and ongoing review of technological solutions to security issues.

In November 2014, a physician working on contract for the hospital misplaced the thumb drive containing patient information. It was found in the hospital parking lot by a staff member who turned it in on Dec. 8, but not before the hospital sent out letters of apology to all individuals affected by the privacy breach.

E-mailWe welcome your opinions. Click here to e-mail a letter to the editor.