Health Minister Margaret MacDiarmid provided an update today on the ministry's data investigation that has confirmed a number of instances where personal health data was accessed for research purposes without authorization.

The minister announced three specific instances where personal health data was inappropriately accessed, saved on portable storage devices (USB sticks) and shared with researchers and/or contractors without required permissions and protocols being followed. The ministry has taken measures to mitigate risks associated with the incidents, as well as steps to review and enhance its data security procedures. None of the information accessed included personal names, social insurance numbers (SIN), or any financial information about individuals.

At the present time, the ministry's investigation has concluded that there is minimal, if any, risk of inappropriate use of personal information.

"There continues to be no evidence that information was accessed or used for purposes other than health research," said MacDiarmid. "However, the ministry takes its responsibility to safeguard British Columbians' health information seriously, and that is why a comprehensive investigation of electronic records was undertaken, including computer databases, storage devices and email records going back several years. I remain very concerned that rules were not followed in these specific instances."

In consultation with the Office of the Information and Privacy Commissioner (OIPC) for B.C., the ministry determined that it would be appropriate to provide the public with details about three instances of health data being inappropriately accessed. The ministry is also following the recommendation of the OIPC to directly contact approximately 38,000 individuals affected in one of the three cases.

This particular case involved data both from the ministry and data compiled from responses to Statistics Canada's Canadian Community Health Survey. This information was collected by Statistics Canada and, as authorized under the federal Statistics Act and with the consent of survey participants, the information was shared with the ministry by virtue of a signed agreement stipulating that personally identifiable information for research would not be disclosed outside of the ministry. Disclosure of the information breached the agreement between the ministry and Statistics Canada.

In September 2012, the ministry first announced an investigation into allegations of inappropriate conduct, contracting and data-management practices involving former ministry employees, researchers and contractors. The ministry has been in communication with the parties involved, or their legal representatives, as applicable, concerning the return of ministry data.

The private consulting firm Deloitte has also been hired to review the ministry's data security measures, including ways to enhance data governance, compliance and monitoring, security and information management practices, as well as technological infrastructure requirements. The ministry also has introduced a mandatory privacy and data-security training program for all employees, in addition to the privacy and security training already required of all public-service employees.

The ministry has notified the OIPC of the unauthorized disclosures and continues to co-operate with the commissioner's independent investigation. For more information about the OIPC please visit their website at: www.oipc.bc.ca

The data-access components of the ministry's investigation continue, along with ongoing audits, led by the Office of the Comptroller General, in respect to contracting and financial procedures.

Members of the public who have questions or concerns can visit: www.health.gov.bc.ca/cpa/mediasite/healthdata.html or call 1 866 736-9156 between 8 a.m. and 4:30 p.m. weekdays.

A backgrounder follows.

Media Contact:

Ryan Jabs
Media Relations Manager
Ministry of Health
250 952-1887 (media line)

BACKGROUNDER

Data access investigation timeline

In September 2012, the Ministry of Health announced that it was investigating allegations of inappropriate conduct, contracting and data-management practices involving former ministry employees and drug researchers.

A lead investigator from the Ministry of Citizens' Services and Open Government has spent several months overseeing a team of analysts who are conducting a detailed and comprehensive review of Ministry of Health electronic records, databases and portable storage devices. The forensic data investigation involves locating, rebuilding and sifting through hundreds of gigabytes of data and thousands of emails.

Government policies dictate USB keys must be password-protected and encrypted if they are to be used to carry personal health information, and that health data should be shared only with individuals who have authorization to access it for approved purposes.

As part of this process, the ministry has identified details about three specific instances of inappropriate and unauthorized data access and use for research purposes, where required permissions and protocols were not followed, which require public notification. Details about these instances have been shared with the OIPC.

First case: Portable storage device (USB stick) containing Statistics Canada health survey information - June 2012:

Personal Notification will occur in this case.

Summary: Health data of 38,486 individuals was shared with an individual. The file included personal health numbers, gender, date of birth and postal codes, as well as information linked from Statistics Canada's Canadian Community Health Survey. Personal names, SIN, street addresses and financial information were never included in the file. The data did include hospital admissions, discharges, medication history, and medical services plan claims. Information from Statistics Canada's Canadian Community Health Survey pertained to information about individuals' health status, mental, physical and sexual health, lifestyle information and use of health services.

Disclosure of the information breached the agreement between the ministry and Statistics Canada. Ministry policies require personal health information to be used only for authorized purposes and require data access agreements to be in place when personal information is accessed. The data was in a binary data format that requires specific software to decipher. In addition, the data was in a format that would make it difficult to match personal health numbers to identifiable individuals.

Second case: Portable storage device (USB stick) containing unencrypted ministry data - June 2012:

Summary: A USB stick containing a plain-text file of 19 types of health data, including personal health numbers, gender, age group, length of hospital stay and amounts spent on various categories of health care for over five million individuals was provided to a ministry contractor. This data includes information on some health conditions as well, such as whether an individual was diagnosed with diabetes.

The contractor was authorized to receive non-identifiable and/or encrypted data from the ministry, but received unencrypted and personally identifiable data instead. This information did not include personal names, SIN, financial information or addresses of individuals, and it would be difficult to match personal health numbers to identifiable individuals.

Third case: Ministry data shared on a USB stick without authorization - October 2010:

Summary: Ministry data containing the personal health numbers of an estimated 21,000 people and detailing diagnostic information for 262 chronic diseases or conditions, including prescription history for certain drugs, was created and shared with a researcher without a data request being approved, in contravention of ministry policies.

This information did not include names, SIN, addresses or any financial information, and it would be difficult to match personal health numbers to identifiable information. All data was contained in a binary file that requires specific software tools to access it.

Media Contact:

Ryan Jabs
Media Relations Manager
Ministry of Health
250 952-1887 (media line)