OUR INFORMATION IS NOT PROTECTED – PART II

  1. THOUSANDS OF B.C. PRIVATE HEALTH RECORDS SOLD AT PUBLIC AUCTION. (a) Mike de Jong was involved in this one too. He was labour minister whose ministry oversaw the auction process.  Again, extremely private information was sold for $300 such as “medical status – including whether they have a mental illness, HIV or a substance-abuse problem”, social insurance numbers, date of births, names, phone numbers, and “caseworker entries divulging extremely intimate details of people’s lives”, and more.

Mary Carlson, director of the Office of the Information and Privacy Commissioner of B.C. said “the government had sold sensitive information to the public once before, but that the details of the case had not been made public. She added that she is ‘disappointed’ to hear it has happened again”. (a)

  1. The Human Resources and Skills Development Canada (HRSDC) “lost the personal information of half-a-million Canadians last year.” They lost an unencrypted external hard drive containing Canada Student Loan information and a USB key containing information such as social insurance numbers, medical records, birth dates, education levels, occupations, etc.” (b)
  2. Ontario has had so many breaches that they held a press conference to apologize. They told people that most workers in the health system are honest people. That may be true in terms of downloading large amounts of information (lying/stealing/conning information from patients is another issue) but you don’t protect medical information from those who won’t steal it, you protect it from those who will steal it.  So, the government/medical system is responsible for not protecting the information.  Just like a bank doesn’t install a security system to protect its assets from the 90% who won’t steal but from the 10% that will steal.  A bank might get its money back but with medical information, once it’s out there, it’s out there, you don’t get it back.  Examples:                                                                                      i. An anti-abortion activist has been accused of prying “into hundreds of abortion records”. DeCiccio worked at a hospital and “the hospital placed no restrictions on what records she could or could not access”. (c)

“Since being informed of this case in May 2011, Beamish (acting privacy commissioner) said he has noticed a concerning trend where increasing numbers of hospital staff are accessing patient records without authorization, including the recent breach of former mayor Rob Ford’s medical files”. (c)

ii. “Hospital workers in Toronto have been disciplined, and some fired, for taking photos of patients without their consent, losing scores of health records or inappropriately prying into a patient’s file when they are not involved in their care.” (d)

“Earlier this year, the Star unveiled two major hospital privacy breach cases involving thousands of patients. In one case, hospitals inappropriately provided patient information to baby photographers. In another, hospitals were handing out patient contact information to private marketing companies.” (d)

iii. Six greater Toronto area hospitals apparently sold patient information to photographer(s).   And yet, Mount Sinai, one of the six, said “Since we learned of this breach (italics mine), we have changed our practice..”.  This implies they didn’t know what they were doing; they had a contract to sell this information but they didn’t know they were doing it; how does that happen? (e)

iv. Other examples you may want to read about: Rouge Valley hospital privacy breach expands to affect 14,450 patients, Joel Eastwood, 27 Aug 2014, Toronto Star; Hundreds of hospital privacy violations go unreported, Olivia Carville, 13 Jan 2015, Toronto Star; Ontario lags other provinces in updating health privacy laws, Olivia Carville, 06 Feb 2015, Toronto Star. A few of the examples you will read about in this articles: “pharmacist opening medical records of fellow congregants”; “a doctor who snooped into 141 women’s medical records, including gynecology reports” (h); “while standing in line for a pizza…doctor chatted on his cellphone about the private details of a patient” (I)

v. Another informative article: Peterborough lawsuit to set precedent for Ontario patient privacy rights, Joel Eastwood, 03 Sep 2014, Toronto Star. Update:  This lawsuit was dismissed because the prosecutors bungled the case (Ontario’s sole health privacy prosecution quietly dismissed,  Olivia Carville, 30 Mar 2015, Toronto Star).  How convenient.  But two more cases are on the go.
The worst that happens to the few privacy violators actually caught is they are fired. “Beamish (acting privacy commissioner in Ontario) is aware of only two provinces, Alberta and Newfoundland and Labrador, which have successfully prosecuted under health-related privacy acts”. (c)  This indicates that the privacy acts are useless, a facade.  Quite frankly, I don’t think just being fired is much of a deterrent for severe cases of privacy violation (for example, when information is shared).  What happens to these fired people?; do they get rehired after a period of time (see post “BC Nurses”, Nov. 4, 2008), do they go to work in a nursing home or other facility (Ontario’s sole health privacy prosecution quietly dismissed,  Olivia Carville, 30 Mar 2015, Toronto Star)?; are they required to pay back any benefits from the privacy violation?

I think the ability to sue the hospitals is important in order to get them to take this issue seriously. Despite the fact that the medical system always say “we take the protection of people’s privacy very seriously”, obviously they don’t.  But, I believe, the prospect of being sued may encourage hospitals to coverup even more violations.  What is also required is some kind of oversight/ongoing audits conducted by citizens groups (or something similar), not chosen by, and outside the influence of, the political/medical organizations.

When I was in front of St. Paul’s, a couple years before the press conference, one person said he worked in a pharmacy in Ontario and that Ontario had tightened up its privacy and people in the pharmacy now had to get permission to access previously available information.  Apparently, it is VERY INCONVENIENT.  Isn’t that sad.  Protecting people’s privacy is INCONVENIENT for people in the medical business.  Accessing patient’s information SHOULD be difficult and if that’s inconvenient to researchers, etc. then find another line of work.  Yet, these recent scandals indicate that they are still doing a very poor job at privacy protection.

I commend the Toronto Star for its investigations and reports. If only other media, in other provinces, would do the same, it would prevent a lot of patient suffering in the future.

  1. “Personal health information belonging to 620,000 Albertans and stored unencrypted on a private company’s laptop was stolen” in Sept. 2013. “The data on the laptop included patients’ names, dates of birth, provincial health card numbers, billing codes, billing amounts and diagnostic codes.

Medicentres Family Health Care Clinics chief medical officer Dr. Arif Bhimji said “Medicentres “immediately” contacted the Edmonton Police Service and Office of the Information Privacy Commissioner”. Apparently, immediately was four days later.  But no one informed the Alberta Health (who eventually received a letter) or the patients (informed by the media) until January 2014.

The politicians were, of course, “outraged”. But isn’t it their job to ensure that our privacy is protected, even when they outsource?  But I guess it sounds good in the press.

Alberta Medical Association president Dr. Allan Garbutt said physicians are trained from early on to keep all medical information highly protected based on the principle that it belongs to the patient and no one else”(italics mine) .  He admitted that there are numerous ways medical information can be misused .  The  British Columbia medical business seems to operate on the principle that patient information belongs to everyone but the patient.  Does Alberta medical staff give anything but “lip service” to this principle?

As one patient said: ‘I don’t want my diagnosis given to just anyone. It’s up to me to disclose what is happening to me’.  In my opinion, this also applies to researchers.  As we know from researchers health scandal (prior post – Our Information Is Not Protected) the medical business and anonymous are total opposites.  Apparently the Medicentres laptop has never been recovered.

There have been more than “four other similar incidents that affected hundreds of thousands of people in the last decade” (that we know of). (g)  Most involved the theft/loss of laptops.

  1. “For a precedence on how bad privacy breaches in Canada can be, one need look no further than the case of Captain Sean Bruyea, a Canadian Air Force officer who served in the Persian Gulf War in 1991. Without his permission or knowledge, all of his personal, medical and financial files were distributed across a wide swath of officials in the Department of Veterans Affairs, who used this as ammunition to try to silence what was a fierce critic for Canada’s returning veterans. A total of 54 people had inappropriately accessed Bruyea’s file; 36 received an ‘administrative memo;’ nine were reprimanded and nine received one-day suspensions. Nobody was fired. No one. Let’s put this in context: When government employees were actually found to be egregiously breaking the law in accessing personalized files, not a single person was fired.”  Scandal taints BC Ministry of Health’s Pharmaceutical Services Division, Alan Cassels, April 2013, Common Ground
  2. I suggest you read Your Information Is Not Secure, Michael Geist, 01 May 2013, TheTyee.ca. This report reveals that “virtually every major [federal] government department has sustained [privacy] breaches and gives examples. It also states that the Privacy Commissioner of Canada is rarely notified of the breaches.
  3. A binder was stolen from a doctor’s car containing information on B.C. Transplant patients.  It included patient names and other information.  Patient Information Stolen,16 Dec 2011, 24 Hours
  4.  Other examples of the medical business’ hypocrisy regarding patient privacy:                                                                              i. When I had to go through the medical system (see future post “My Story”) I would stand at reception at the doctor’s office or office of other medical people and be asked to provide personal information while there were people directly behind and beside me, who could easily overhear everything being said. In some cases, I tried writing the information on a piece of paper or answering very softly and they would repeat what I said so loudly the whole waiting room, or most, could hear. At Burnaby General Hospital, in emergency, they have the reception desk right in front of the waiting room where everyone, or most, could overhear the conversation regarding the collection of personal information.                                                                                   ii. I was in a doctor’s very small reception/waiting room. The staff would talk to patients on the phone, sometimes even stating the patient’s name. People in the waiting room couldn’t help by overhear the conversation.                                             iii. I was in a pharmacy where they had a sign which said “stand back to respect people’s privacy”.  The pharmacy wasn’t that large so you would have to stand half way, or more, across the room, to avoid hearing the conversation.  The counter was also near the door so there was traffic coming & going.

But, hey, just ask them and they will tell you “your information is protected”. They don’t care about people’s privacy..  It’s inconvenient, to them.

 

THE ONLY SAFE INFORMATION IS THAT WHICH ISN’T GIVEN

 

 

  1. THOUSANDS OF B.C. PRIVATE HEALTH RECORDS SOLD AT PUBLIC AUCTION –  Jonathan Fowlie, 04 Mar 2006, Vancouver Sun (a paper I didn’t buy)
  2. Human Resources bureaucrats questioned over data breach – Jessica Murphy, 15 Feb 2013, 24 Hours
  3. Anti-abortion activist snooped into 414 abortion files – Olivia Carville, 21 Jan 2015, Toronto Star
  4. Hospital privacy violations rife in Ontario – Olivia Carville, 29 Oct 2014, Toronto Star
  5. Privacy breach: Six GTA hospitals gave patient info to photographers – Joel Eastwood, 29 Aug 2014, Toronto Star
  6. Laptop with 620,000 Albertans’ personal health information stolen – Robson Fletcher, 22 Jan 2014, Metro News
  7. 4 other cases of stolen health data in Alberta – 22 Jan 2014, CBC News
  8. Ontario lags other provinces in updating health privacy laws – Olivia Carville, 06 Feb 2015,  Toronto Star.
  9. Hundreds of hospital privacy violations go unreported – Olivia Carville, 13 Jan 2015, Toronto Star