YELLOWKNIFE — A privacy breach affecting people who stayed at a COVID-19 isolation center is the latest in a long line of cases of health information being mishandled in the Northwest Territories.
Late last week, the NWT Department of Health and Social Services issued notice of the “low-risk” breach involving about 2,000 COVID-19 isolation forms, which include names, phone numbers, addresses and emails of people who stayed at an isolation center in Yellowknife between August 2020 and April 2021.
It said a box containing the documents left behind by the disbanded COVID-19 Secretariat was discovered at a government warehouse in late June.
While the records never left the territorial government’s custody, there have been several recent cases where private health information was publicly disclosed.
“Inadvertent mistakes or lack of paying attention is often a disturbingly large cause of these things,” said NWT information and privacy commissioner Andrew Fox.
“There are others though. Once in a while, something will happen like this where some system or administrative procedure hasn’t been followed and documents are left potentially unsecured.”
In his latest annual report, Fox says between April 1, 2021, and March 31, 2022, his office investigated 234 new violations of the territory’s Health Information Act, nearly triple the 87 files in the previous year. He said the increase was likely due to more thorough reporting and changes in operations, staffing and training during the pandemic.
Of the new files, 55 involved the COVID-19 Secretariat, some of which are still under investigation.
One troubling cause of privacy breaches, Fox said, has been the territory’s continued use of faxes, an issue over which the commissioner’s office has long chastised the government.
There has also been an increasing number of cases where private health information was improperly disclosed via email, Fox said. Others involved the misidentification of patients and records, and a lack of reasonable security measures for paper records.
Fox said the territory needs to devote more staff and provide more training to ensure private information is protected. He noted the COVID-19 Secretariat was “missing some key individuals in the privacy aspect.”
“Training is expensive. It’s time consuming. There’s no question. However…privacy training is mandatory,” he said.
While the Department of Health and Social Services established a mandatory privacy training policy for all its employees in 2017, Fox said he was told in 2021 they were “barely hitting” 50 percent of staff.
Chief health privacy officer Livia Kurinska-Hrdlickova said the department is continually working to improve privacy practices, including training.
“The Department of Health is committed to ensuring the protecting of personal information of residents at all times,” she said.
Kurinska-Hrdlickova acknowledged there were challenges during the pandemic as some staff were redeployed to areas they didn’t normally work in and many were under stress with high workloads.
While health custodians and territorial governments have pledged to decrease the use of faxes, Kurinska-Hrdlickova said they are sometimes still required when other types of communication are absent or there are restrictions when communicating between jurisdictions. She added safeguards implemented for emails include the use of secure file transfers.
Health and Social Services Minister Julie Green’s office declined an interview, saying the matter was “more operational in nature.”
There have been several noteworthy health privacy breaches in the NWT over the past decade.
In November 2014, a doctor with the Stanton Territorial Hospital lost an unencrypted USB stick containing the private information of more than 4,000 people, including medical advice for 52 patients. It was found and returned the following month.
In June 2018, the territorial government announced an unencrypted laptop containing the health information of more than 33,000 NWT residents — the majority of the territory’s population — was stolen from a locked vehicle in Ottawa that May. CBC later reported internal documents indicated more than 39,000 NWT residents, plus hundreds of non-residents, were affected.
A proposed class-action lawsuit was filed against the territorial government over that breach in 2019.
Then in December 2018, a resident told CBC he had found thousands of private health records left in a public area at the dump in Fort Simpson, NWT. In reviewing the breach, however, then-privacy commissioner Elaine Keenan-Bengts said she could not determine how the 124 file folders turned over to her came into the resident’s possession.
While Keenan-Bengts warned health officials the territory was “ripe for a similar breach to occur,” less than a year later, in July 2019, another resident found more than 60 CDs with private health information at the dump in Yellowknife. The commissioner said the breach was related to Stanton Territorial Hospital’s move to a new building where contractors were not given privacy training.
This report by The Canadian Press was first published Dec. 17, 2022.
This story was produced with the financial assistance of the Meta and Canadian Press News Fellowship.