When Things Go Wrong: Whom to Tell and What to Do About Data Breaches?
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 11th Annual National Conference on Clinical Trials organized by InSight Information
October 18, 2010
Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada
(Check against delivery)
Thank you for your kind introduction and for kindly agreeing to change the agenda to accommodate me. Being now the last speaker of the day, I thought I would speak about a provocative subject - there’s nothing like Data Breaches to keep people in a room!
In all seriousness, however, “data breaches” does seem like an apropos topic following some of this morning’s presentations on risk management and patient trust and this afternoon’s session on financial management for reasons that will hopefully become clearer in the next few minutes. It wouldn’t be the first time some of you hear me say that respect for patient confidentiality and privacy is critical for the success of the health research enterprise.
To seek comfort from the fact that data breach hasn’t happened to your organization yet would be to create a false sense of security. The reality is that data breaches can happen, even in the most sophisticated organizations – and without sounding alarm bells – planning for when, as opposed to if, may be the more prudent course of action.
- Data breaches can happen unknowingly. Take for example today’s press release about the Privacy Commissioner’s findings in the Google WIFI matter. Even a sophisticated, global giant like Google was not beyond risk when it inadvertently picked up personal data among publicly broadcast WIFI signals it was collecting through its Street View cars in a plan to enhance its location-based services.
You will also recall the case a couple years ago of a methadone clinic in Sudbury Ontario where, to everyone’s surprise, video images of a woman providing a urine sample in the clinic’s washroom were inadvertently picked up by a wireless mobile device (a back up camera) of an automobile that was parked nearby, outside the clinic.
- Breaches can happen through deliberate intrusion, pretexting or theft. Remember the much publicized intrusion into TJX’s information systems containing millions of credit and debit card information of millions of its Winners/HomeSense customers. Over-collection of data and weak encryption technology made the mega retail company particularly vulnerable to identity theft.
The health sector too has had its share of unwanted thefts and intrusions, for example, 1) malicious software that affected 150 Alberta Health Services computers in Edmonton last year containing personal health information of over 11, 000 people; 2)the theft of an unencrypted laptop from the automobile of a clinician-researcher at SickKids containing personal health information of approx. 2900 patients enrolled in several research studies; and 3) the more recent theft of an unencrypted memory stick from the purse of a public health nurse working for the Durham Health Department, which contained personal information of more than 80, 000 individuals who had attended H1N1 immunization clinics in the Health Region.
- Breaches can also happen through sheer carelessness. Everyone will remember the CBC news report of paper health records being blown around on location for a film shoot in the downtown streets of Toronto. It was the lack of proper safeguards and insecure disposal of patient records that led to this unfortunate and highly embarrassing incident. A very similar and more recent scenario occurred on the street in front of a medical diagnostic laboratory in Ottawa as the medical records of several of its patients fell out the back of a recycling truck as it was driving away from the premises.
- And finally, breaches can happen intentionally by snooping employees or health providers working within the organization or institution itself. The sad love triangles between husbands, wives and girlfriends, acting out of jealousy and spite, led to egregious and repeated breaches of patient confidentiality in two separate, but similar fact situations – one at the Ottawa Hospital in 2006, and the other in Calgary, Alberta in 2007. In the Alberta case, the medical clerk in question was fined $10,000 pursuant to the first ever criminal prosecution under the Alberta Health Information Act.
More recently, and more disturbing, was the case of a pharmacist at L & M Pharmacy in Saskatchewan who was found to have improperly accessed the province’s prescription database to view the personal records of three individuals. The audit logs indicated that he had done so on nine different occasions, in some instances from his home computer at 3:00 a.m.! The individuals were not patients of his pharmacy at the time and he had no professional need to view their records - other than for sheer personal interest.
The message is that breaches do happen. Our office received notice of 58 breaches in 2009, and those are only the voluntary reports we hear about – not counting all the other breaches reported to our provincial counterparts who have more sizeable jurisdiction over the health sector.
Mandatory Breach Notification Requirements in Canada
It is not for nothing then that we are seeing legislators introduce mandatory breach notification requirements in relevant data protection laws across the country.
Ontario, of course, was first out of the gate since 2004 with its Personal Health Information Protection Act that requires health information custodians to notify individuals at the first reasonable opportunity if their information becomes stolen, lost or accessed by unauthorized persons. It does not contain a statutory reporting obligation to the Commissioner.
Alberta followed suit in 2009 with amendments to its Personal Information Protection Act, now requiring organizations to provide notice to the Commissioner of any incident involving loss, unauthorized access or disclosure of personal information. The Commissioner may, in turn, require the organization to provide notice to the individuals affected.
The Personal Health Information Act of New Brunswick proclaimed into force in September 2010 and that of Newfoundland, expected to be proclaimed in December 2010, require both notification to individuals in the event of breach and report to the Commissioner.
Proposed amendments to the Personal Information and Electronic Documents Act (“PIPEDA”), Bill C-29 which is currently before Parliament, would likewise introduce both a notification requirement to individuals, as well as a reporting obligation to the Commissioner.
Without getting into the fine details of statutory interpretation, suffice it to say that the thresholds which trigger a reporting obligation to the Commissioner and/or a notification obligation to the individuals affected vary from law to law. A discussion about what constitutes a “material breach” or a “real risk of significant harm”, for example, could be the subject of a whole other hour.
Rather, in the time remaining, I would prefer to speak about the practical considerations – who to tell, what to do and how? – when the rubber really hits the road.
Key Steps for Organizations in Responding to Privacy Breaches
In order to assist organizations in responding to privacy breaches, several commissioners have published breach notification guidelines. For example, the Office of the Privacy Commissioner of Canada suggests the following key steps to be followed in the event of breach:
1. Immediately Contain the Breach
The first step is to immediately contain the breach and mitigate potential harm. Though this makes imminent common sense, it sometimes turns out to be quite challenging.
For instance, in cases of unauthorized breach by a snooping health provider, containing the breach – essentially suspending their access privileges – raises different issues depending on whether the individual is a unionized employee or an independent health professional.
In the case of a unionized employee, suspension of access privileges may be delayed by collective agreement provisions that require meeting with the employee and his or her union representative before taking any disciplinary action. In the meantime, and unless otherwise stopped, the employee would be able to repeatedly view the records and continue to breach patient confidentiality with impunity. To avoid this, collective agreements should be reviewed and if necessary, amended, to allow the employer, when such incidents occur, to take more immediate steps to contain the alleged breach until a fuller investigation can be completed.
In the case of an independent health professional, issues of a different nature arise. In considering whether to suspend access privileges of the snooping health provider in question, the relevant College or Regional Health Authority need consider the potential impact on the care of other patients whose visits and/or treatments may be delayed as a result – or on the quality of large clinical trials that may be jeopardized if interupted. Also to consider is the potential economic impact that suspending access privileges can have on the health professional’s ability to continue to earn a livelihood on a fee for service basis. More flexible access controls may have to be designed and built into electronic record systems to allow for partial suspension in such cases.
2. Evaluate the risks associated with the Breach
The second step is to evaluate the risks associated with the breach. What personal information is involved? What is the cause and extent of the breach? Who are the individuals affected and what foreseeable harms can potentially result?
While again, this may sound utterly reasonable in theory, it is sometimes more difficult to do in practice.
For instance, when unencrypted mobile devices go missing, organizations are sometimes not even able to determine with certainty what type of personal information was contained therein, whose, or how much. In such circumstances, risk assessment turns out to be little more than an exercise in futility. While this clearly speaks to the need to encrypt personal data on all mobile devices in accordance with prevailing industry standards, it also speaks to more basic requirements to identify files, the purpose for creating them in the first place, and the need to keep them at all.
Another challenge we see in cases where stolen mobile devices are later recovered, for instance, is in determining whether or not the personal data contained therein was accessed at all by unauthorized persons. This serves to remind us of the importance of ensuring proper audit trails are built into the information system in order to produce detailed access logs (e.g. frequency, extent, duration of access, etc.) and assess the level of risk that may result from it.
A further difficulty of evaluating risk is in assessing the foreseeable harm that may be caused to affected individuals. When dealing with personal health information, as opposed to financial information, the recipient’s motive to misuse the information may not be as obvious, and the potential harm to the individuals may not be as easily quantifiable – at least in monetary terms. Nonetheless, the adverse impact can be just as devastating, if not more, particularly when dealing with sensitive health information.
Sensitivity is determined not only by the type of personal information, but also the context. (For example, some may argue that a list of patients’ home addresses alone may not be particularly sensitive, but what if the list pertains to patients of a cancer clinic, an HIV clinic or a health clinic that caters particularly to abused women. Similarly, some may argue that a list of names of healthy volunteers enrolled in a clinical trial by itself may not be sensitive, but what about the information pertaining to individuals in the study group whose eligibility criteria for inclusion are otherwise known.)
Accordingly, the legislature has recognized these nuances by expanding the definition of harm to include not only financial or property loss, but also, bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities.
Determining whether to notify affected individuals is the third, and probably most difficult, step in the event of data breach. It will depend in large measure on the degree of risk of harm and the possibility for individuals, once notified, to mitigate that harm.
Also important to consider, however, particularly in a health context, is the risk of unduly harming individuals through notification itself. While the instinct of the institution’s lawyers might militate in favour of notifying in order to minimize possible litigation risk, ethical considerations must also be taken into account to minimize potential harm. For example, notification could be unnecessary, or even inappropriate, in cases where information gone missing is adequately encrypted such that the risk of any person being reasonably able to access the data is very low to none. In such cases, individuals, even if notified, could do nothing about it other than worry, causing needless anxiety.
Even if a decision is made to notify individuals, careful thought should be given to how this should be done. Not only practical, but also, ethical, considerations ought to govern the selected approach. For example, if a decision is made to contact individuals by phone, mail or e-mail, organizations should be sensitive to the risk of inadvertently revealing confidential information to family members or others living in the same household and thereby compounding the harmful effect of the breach. Think of an abortion clinic calling home to inform teenage daughters that their files have gone missing. In some circumstances, a general notice, advertised through targeted means, maybe more appropriate.
4. Prevention of Future Breaches
Finally, the last step to work through in the event of a breach is to undertake necessary measures to prevent such breaches from re-occurring in the future. Once the immediate problem appears to be technically resolved, this step may tend to get short-shrift. Often, however, an incident which may seem to be a one-off event does not get the proper attention it deserves, particularly where there are underlying systemic issues which gave rise to the problem in the first place.
This may be the case where the institution has weak policies and procedures or where employee training may be deficient. The fact that the breach has happened once may be sheer luck, until the underlying cause rears its ugly head again, resulting in yet another breach down the road.
Throughout the breach notification process, an organization should also consider whether, and at what point, to report the incident to the relevant privacy commissioner. In some jurisdictions, organizations are – or may soon be – obligated to report at least cases of “material breach”, however defined.
Regardless, and quite apart from the legalities, organizations may wish to consider the common sense benefits of reporting. If in doubt as to whether a breach is “material” or not, organizations may want to err on the side of reporting anyway for the following reasons:
If informed of a data breach in a timely manner, the Privacy Commissioner may:
- bring to bear his or her expertise on the matter and greatly assist the organization in working through the various steps of the breach notification process;
- respond to media enquiries by reassuring the public that s/he has been duly informed by the organization and is working cooperatively with them to contain the breach and minimize potential harms;
- investigate potential complaints as they arise, with full knowledge of what the situation entails and the steps already taken by the organization to remedy the breach; and,
- have a better picture of the types of breaches occurring, their nature and extent, in order to comment on industry or sectoral trends and identify new areas of increased risk.
Finally, it is important for organizations not to get so overly focused on assessing potential harms to individuals that they overlook the potential harm that can result to their own reputation as well. Data breaches, if not properly managed, can have devastating impacts on an organization’s goodwill – undermining their clients’ trust and confidence.
These can have not only “soft” adverse impacts, but hard economic consequences as well – particularly if research funding is pulled, service contracts are cancelled, customers choose to get their prescriptions filled at the competing pharmacy down the road, or most critical for many of you, patients whom you’ve spent so much time, efforts and resources recruiting into your clinical trials, start exercising their right to withdraw consent because they’ve lost all trust in you.
Now, did I manage to keep you all in the room?
Report a problem or mistake on this page
- Date modified: