Tag: privacy commissioner

FAXING HEALTH INFORMATION TO THE WRONG PEOPLE

Nova Scotia – 2006 – 2016

For over 10 years dozens of highly sensitive mental health records were faxed to Lisa Belanger’s Bedford spa; faxes which should have gone to a mental health referral office. “She estimates she receives between eight and 14 a year.” (1)  She contacted the doctors offices that sent the fax, and “an official at the former Capital District Health Authority, hoping someone there would take action to stop it.”(1)  They said memos were sent to all doctors offices telling them to carefully enter fax numbers and to have “the proper preset fax number on the fax machine” (1)  But Ms. Belanger continued to receive faxes.  Really, how hard is it to preset a fax number?

“She says she subsequently called Health Minister Leo Glavine’s office, the College of Physicians and Surgeons and the office of Nova Scotia’s privacy commissioner.” (1) * “Belanger was concerned about the personal information on the documents.” (5)  She said “she’s been repeatedly assured by health officials the problem would be fixed, but the faxes continued.” (5)  “She has even made suggestions on improving the way faxes are transmitted.” (1)  Finally, in 2016, in frustration she contacted the CBC. (5)

“Everton McLean, a spokesman with the Nova Scotia Health Authority, said doctors are independent and the authority can’t tell them what to do.” (1)   And yet, “Nova Scotia’s Personal Health Information Act says it’s an offence to fail to protect personal health information in a secure manner. Anyone found guilty may be subject to a fine of up to $10,000 or imprisonment for six months, or both.” (1)  I think if you start enforcing the law there would be change.  Also, doctors are paid from tax dollars so, I believe, the government can put conditions on receiving those funds.   “Halifax privacy lawyer David Fraser” said “‘The larger concern for me is the apparent casualness with which these documents are being faxed and also what seems to be the response when they’re told that they’re going to the wrong place,”‘ Fraser said. (1)

When this issue hit the media, the privacy commissioner started to pretend to do something (they do like their name in the media). Privacy commissioner Catherine Tully made recommendations (5) which the doctors are free to ignore.  In fact, I suspect that most doctors aren’t aware that a report was written much less read it.

 

“Tully said if the information had ended up in the hands of someone who knew the patient, the harm would be ‘close to irreparable.'” (5) We don’t know that some unreported mis-faxed information hasn’t gone to people who know, or will know, a patient and the patient just hasn’t heard about it.  We only know about the faxes reported to the media.

“Privacy commissioner Catherine Tully wrote in a report… that momentary inattention and human error by those sending the faxes are to blame for the three cases her office examined.” (5) But, between 80 and 140 faxes went to Ms. Belanger’s spa over 10 years.  Were all these human error?  And, at what point, does human error become incompetency or just disregard for people’s rights?

“The report says doctors notified each of the patients whose privacy was breached.” (5) Were these just the patients in the three cases Tully received or all 80 to 140 patients whose personal/health information was received by Ms. Belanger?  The report also does not say when or how the patients were notified, nor is there any verification that it is true.  A victim of the breaches, whose name was not given, said “he only learned of it this week when Belanger herself contacted him to say his information had been faxed to her last fall.” “‘This is pretty serious stuff,” he said. “This can ruin people’s relationships, careers, a whole myriad of things.'” (2)

As of June 1, 2013, “’The Personal Health Information Act does require that notification goes to somebody,’ (bolding mine) said Robert Bay” (a Nova Scotia privacy commissioner spokesperson).   “So the question is: Is the notification to the individual whose privacy has been breached or is the notification to our office? The determining factors are the degree of harm or embarrassment that would result from the breach.” “He says if the” ‘custodians’ “who hold the personal information”, the doctors, “determine there is no potential harm or embarrassment, then the person whose information was mishandled may not be told.”  “The commission said it has no way of knowing how many breaches resulted in notification to patients.” (2)  In essence, unless the commissioner has been notified, they have no way of knowing if anyone was notified.  And, why would you notify the commissioner if there is no potential of harm or embarrassment to the patient and not when there is?  Why are the doctors given the right to make this decision?  Isn’t that a conflict of interest?  How often do you think doctors will decide “no harm done” and not inform patients that their privacy was breached and not inform the privacy commissioner.  Not that notifying the privacy commissioner is any great help.  All they can do is write a report and/or encourage/recommend as they have no enforcement powers.

 

North West Territories – 2010

On four separate occasions, in a two month period, confidential files were mistakenly faxed to the CBC from the N.W. T.’s main hospital. If this weren’t so serious, it would be funny.

The hospital then imposed a faxing freeze “on any medical documents unless it is an emergency”. (4)

“In addition to the freeze, the hospital has also implemented a temporary policy requiring two staff members to oversee the faxing of confidential documents, Lewis said” (CEO of Stanton Territorial Hospital). (4)

“This ‘double-checking’ policy, which is meant to ensure the faxes reach the right destination, will stay in place until a permanent solution is found, she said.” But, as usual for the government, “she wouldn’t give specific details about any measures being taken”.(4)

In 2012 the CBC received its 6th sensitive medical fax in two years. (6) This came from Kugluktuk, Nunavut health centre.  “The fax included information about the patient and their sexual health history.”  “In a statement, the department said it’s investigating. It added that health centres are required to use pre-set speed dials for confidential patient referrals”.  (6)

“At the time, Health Minister Tom Beaulieu said a summer student sent that fax. The department has not yet said if any action was taken, or why the faxes continue to come to CBC North in Yellowknife.”  (6) It certainly illustrates how important privacy is – the faxes continue and very sensitive patient information is given to a summer student.  But the government/medical business will tell you that it takes your privacy very seriously — just propaganda.

 

Alberta – 2014

“Entering incorrect telephone numbers into fax machines is being blamed for more privacy breaches of personal health information by Alberta Health Services.” (3)

“Documents obtained by CBC News through access to information show that Alberta Health Services were regularly (bolding mine) sending faxes intended for Strathcona Home Care to a custom home builder in Sherwood Park over a two-year period.” (3) “At one point the builder was receiving as many as one fax each week.” (3)  “Despite repeated calls, the faxes continued until company owner Dianne Ingram sent AHS a fax of her own.” “She scrawled, “You have the wrong fax number!! Stop faxing us!!.” (3)  Also faxes were sent to a manufacturing company. (3)

“Patients often go uninformed when their information is disclosed.”  (3)

“While AHS is not obligated to report breaches, Hamilton (Brian Hamilton, with the Office of the Alberta Information and Privacy Commissioner) said his office encourages AHS to inform all patients whose privacy has been breached.” (3)  Sorry, but, in my opinion, “encourage” is essentially meaningless.

“’This is highly sensitive information and an issue of public trust,” privacy commissioner Frank Work said. “How can the public have faith in public bodies if they can’t provide security for personal information?”‘ (7) (Bolding Mine). He was referring to laptops but it is just as relevant to faxes.

‘”It’s surprising,” Hamilton said during an interview. “The health sector in particular, spends millions of dollars on information systems with secure access, and yet people keep faxing.”‘ (3)

“Sending personal information by fax is a less secure method of transferring information compared to encrypted emails, he said.” (3)

Dr. Verna Yiu, with Alberta Health Services said “We do rely on cooperation of the recipient to let us know that” (they have received a mis-fax), “and I would have to say that in general (italics mine) people are pretty co operative about that.” (3)  This is NOT a privacy policy.  This is NOT how you protect patient information.

 

Some Questions:

  1. In all these cases, the doctors offices, violating patients privacy, were not identified. Should they be? Would you want to know who is not taking care of your information?
  2. Most people who violate people’s privacy are either not disciplined, disciplined (ex. A day or more off without pay), or fired. Should the penalties be stiffer? Do we have a right to know what disciplinary action is taken under what circumstances so we can determine if this is sufficient or excessive?
  3. Don’t you think THE PATIENT should be notified in all cases so the PATIENT can decide the degree of harm in violating the patient’s privacy?
  4. Should there be a central phone number that people can call when they receive medical information that belongs to someone else?

You may have noticed the trend by the government/medical system: it’s someone else’s responsibility, there is nothing we can do, false promises to fix it or we’ll look into it but the people never hear if anything was ever done to fix the problem.  And if it hits the media, the “problem” is sent to the privacy commissioner, who writes a report.  The report may say “Order No.” but it is not an order, it is a recommendation which the medical system is free to, and I suspect in most cases does, ignore.  So what changes – NOTHING.  Mistakes are made, and I think people would be mostly forgiving, if they knew concrete steps had been taken to fix the problem.  Instead we get propaganda – we’ll fix it, trust us, trust us.  Save the money from all these useless, money-sucking,, reports and put it into software/training for something positive such as end-to-end encryption and enforcement; privacy might be protected and money saved.

And, these violations are only the ones that are reported to the media. These are, no doubt, the proverbial tip of the iceberg.  I suspect there are some medical people who are very careful about patient’s privacy.  But, we don’t know who they are, therefore all are suspect.

I am deeply grateful to Ms. Belanger and Ms. Igram for sharing the information with the media; and to CBC News for publicising the problem. It is the only way we are learning that our information is not protected.  And, until we know the truth, we cannot try to fix the problem.

* I contacted a Minister of Health, Victor Boudreau, twice and requested an organizational chart/description of the health system in a province (who reports to whom and what are their responsibilities). Never got a reply (see future post tentatively titled “My Story – Part II).

 

  1. Mental health records sent to Nova Scotia spa in error over last decade – Yvonne Colbert, 07 Apr 2016, CBC News
  2. Victim of mental health privacy breach in Nova Scotia feels “very exposed” – Yvonne Colbert, 08 April 2016, CBC News
  3. Unsecure faxes put health data of Albertans at risk – Kim Trynacity, 10 Feb. 2014, CBC News
  4. N.W.T. Hospital clamps down on medical faxes – 07 Jul 2010, CBC News
  5. Privacy commissioner says doctors should move faxing patient referrals – Yvonne Colbert, 23 Nov. 2016, CBC News
  6. CBC Yellowknife newsroom gets 6th medical fax in 2 years – 30 Jul 2012, CBC News
  7. Security on stolen laptops was inadequate: privacy commissioner – 24 Jun 2009, CBC News

 

GENETIC TESTS

So, what happens to the genetic tests that are done on you, with or without your knowledge/permission [see future posts “My Story” and “Information Collected (or Not)].

Besides going to researchers (and probably the pharmaceutical companies they are associated with), it may go to insurance companies, employers, banks, marketing companies and probably a whole lot of other “people”. And this is just the start.

“Canada’s privacy watchdog is urging insurance companies and others to stop asking for access to the results of existing genetic tests.”

Federal Privacy Commissioner Daniel Therrien says it is becoming more of a challenge to protect people’s genetic privacy with recent advances in science and technology.

‘We are calling on the industry to refrain from asking for existing test results to assess insurance risk until the industry can clearly show that these tests are necessary and effective in assessing risk.’  Therrien said in a statement Thursday.

There are now hundreds of tests to help spot genes known to increase a person’s risk of certain medical conditions.

But some people may decline tests for fear a positive result may mean they could face discrimination from insurance companies or their employers.. (1)

There are currently no laws in Canada that specifically prohibit genetic discrimination.”

Declining the tests, of course, assumes the people are given an option and the tests are not just done, without the people’s knowledge/real consent, from blood and other samples collected by the medical business.

And what will happen when they “open the door to an era of personalized medicine,” where treatments are tailored to specific genetic characteristics. (2) How many other people/organizations will have access to our very, very personal information such as marketers, suppliers, banks, insurance companies, employers, other countries (who many disallow you into their country), etc.?

How much discrimination will the people face based on our specific genetic characteristics? Will they be denied having children?  Will they be denied certain health care, jobs, etc.  Will they be targeted for experimentation (with or without their knowledge)?  And the list of possible discrimination goes on…

We have no idea what’s going on and how it will affect us. It seems like a free-for-all with our information/body parts.  And once it’s out there, you don’t get it back.  And we have no idea what’s going on in the medical/government business.

The turdits, and their friends in the medical/government business, won’t/can’t protect our information and, instead, share it with all the ghouls even when there are laws prohibiting it (see all past/future posts) and, of course, in cases like genetic tests they don’t even bother with laws. That would be working in the interests of the people and gawd forbid that should happen.

 

  1. Insurers asked to stop seeking access to results of genetic tests – The Canadian Press, 11 July 2014, Metro
  2. Hospital launches legal challenge to patents on genes – Andre Picard, 4 Nov 2014, The Globe and Mail

 

ANOTHER MAJOR PRIVACY BREACH IN B.C.

Since 2010, a total of 4,420 government privacy breaches have been reported to the Office of the Chief Information Officer in B.C. That’s almost a thousand “breaches” a year. (1)  And, it only includes those reported.   The privacy commissioner’s office has “looked into some 500 privacy breaches of one kind or another involving government and its agencies over the past five years”. (9)  And again, it includes only those reported which are a very small fraction of the total “breaches” because government agencies are not required to report “breaches”.

Now, more information has been “lost” by the B.C. government. This time the education ministry  “lost” “personal information for 3.4 million B.C. and Yukon students and B.C. teachers from 1986 and 2009.   The hard drives included names, addresses, genders, birth dates and education identity numbers, teacher retirement plans, substance abuse information, mental health issues, psychological assessments, plus detailed family data, social, type of schooling, grade information, graduation status, financial aid data, and designations such as ESL and special needs, economic and education status of cancer victims and children in provincial foster care and health and behaviour issues for children in care.  (1)(2)(5)(7)  “It also included family troubles and police interventions……, letters from members of the public with specific complaints about teachers; particulars on some 1,000 cancer survivors who took part in a lengthy research trial”. (9) This information was NOT anonymous.  All information could be connected to people’s names. (8)

Why does the education ministry have information going back 30 years? The teacher retirement plans was a survey done in 2003 so the older information pertains to the children.  Isn’t there a time limit on how long the government can keep information on students and children in care.  Oh right, this is the B.C. government that keeps all information on citizens for ever.

The hard drive was discovered missing in August 2015 but the hard drive “could have been missing for as long as five years”. (4)  The ministry had been trying to track it down since early August and didn’t notify the Technology Minister Amrik Virk until around September 11, 2015.

Again, the privacy commissioner’s office listed numerous ways in which the education ministry failed to provide adequate security and provided recommendations to improve security. (1) This is the same list/recommendations as identified in previous “breaches” and, no doubt, it will be the same list/recommendations as identified in future “breaches”.  I suspect the privacy commissioner’s office keeps a copy of this list of inadequate security measures and recommendations that it just reprints for each new “breach’  because nothing changes.

The Technology Minister Amrik Virk called the “breach” “low risk” because there is no indication of fraud and identity theft. (5) What a “convenient” statement.  Apparently, the ministry has done comprehensive searches by up to 50 bureaucrats, and “they had looked in every box, in every desk, in every drawer, and they weren’t able to find it” (6), but the ministry still considers the possibility of theft to be “low”.  And, the warehouse was not equipped to secure information. (6)  Plus, when the statement was made, the ministry had not examined the potential risk to individuals or notified them. (5)  The use of the information by others may not be as obvious as identity theft.  Personal information is very valuable these days.  Based on what I’ve read, companies are building large personal information databases.  This information can be used by the company and/or sold to marketers, insurance, banks, future employers, etc. so the people whose information went “missing” may never know that they lost a job, a bank loan, insurance and so on because of the information the companies were/are able to access.  This “loss” of information could haunt these people for the rest of their lives.

And, as the privacy commissioner’s office noted: the information could cause emotional hurt, humiliation or damage to reputation, if in the wrong hands.   “I think it essential to emphasize that the affected individuals are some of the most vulnerable in our society.  They include children in care, children in custody, children with special needs, and children with health conditions. These are all circumstances that can lead to stigmatization by society in general and instances of individual discrimination.” (1)

The privacy commissioner’s office “interviewed some 16 individuals, including current and former employees. But ‘owing to the passage of time, the testimony was, understandably, often vague, incomplete or inconsistent.’ Coupled with the lack of documentation — another common occurrence with this government — she was unable to place blame on any particular individuals”. (9) So, again, no one will be held accountable.

Education Minister Mike Bernier said: “We sincerely apologize for any inconvenience this incident may have caused people” (italics mine).  Could you trivialize the matter more?  My goodness, did the government drop someone’s pen?

But just ask the B.C. government, including medical people, and they will tell you that your information is protected.

“The incident prompted the Government Communications and Public Engagement office to write a 16-page script of anticipated questions and suggested answers for politicians.” (1) So the hand puppets and toadies just regurgitate the scripted answers.

The scripted answers also state that the trend of reported “breaches” was increasing through 2014, but has since begun to decline. Other possibilities:

  1. This is a scripted answer by government so is likely a lie. See post “Our Information is Not Protected – Part I” for example(s) of how government lies.
  2. The government may just be covering up more “breaches” and not reporting them.
  3. When you are “losing” information on millions of B.C. citizens at one time, what’s left to “breach” that isn’t already out there? Again, see post “Our Information is Not Protected – Part I” where the government “illegally shared” information on 4 to 5 million B.C. citizens.

And, of course, they promise everything will be fixed so citizen’s information is protected. Until the next time!!  Because they lie!!

My question is: Is there any information left, on the people of B.C., held by the B.C. government, that hasn’t been illegally shared or “lost”??

 

 

 

 

 

  1. Education Ministry Chastised for Latest BC Data Breach – Bob Mackin, 29 JAN 2016, TheTyee.ca

 

  1. Ministry of Education failed to protect personal information involving missing portable hard drive – Dissent, 28 JAN 2016, Office of Inadequate Security

 

  1. Investigation Report F16-01, Ministry of Education, 28 JAN 2016, The Privacy Commissioner’s office; CanLII Cite: 2015 BCIPC No. 65; Quicklaw Cite: [2015] B.C.I.P.C.D. No. 65

 

  1. B.C. ministry broke rules, leading to data breach: Privacy commissioner – The Canadian Press, 28 JAN 2016, The Globe and Mail,

 

  1. B.C. education data breach: government can’t find unencrypted hard drive – 15 Sep 2015, CBC

 

  1. B.C. Education Ministry Slammed For Losing Hard Drive With Students’ Personal Info – Tamsyn Burgmann, 28 JAN 2016, The Canadian Press

 

  1. B.C. ministry broke rules, leading to data breach: Privacy commissioner – The Canadian Press, 28 JAN 2016, The Globe and Mail

 

  1. Largest data breach in B.C. could have been “completely preventable’: watchdog report – Paula Baker, 28 JAN 2016, Global News (this is actually the 2nd largest see , see post “Our Information is Not Protected – Part I” where the government “illegally shared” information on 4 to 5 million B.C. citizens.

 

  1. Privacy breach a failure of ‘executive leadership,’ watchdog says – Vaughn Palmer, 28 JAN 2016, Vancouver Sun (a paper I never bought)

 

10. B.C. student data breach could affect more than 3 million people – Amy Judd, 22 SEP 2015, Global News

RIGHT TO KNOW WEEK

When I was in B.C. I attended a “right to know week” talk at the library. A woman who represented the library introduced someone from the Privacy Commissioner’s Office, someone from the police department and another person.  These three people then gave their talk.  Basically, the Privacy Commissioner’s Office and the police department talked about how wonderful they were.  It was all one-sided; there was no one on the dais to disagree with anything they said.

But the audience had an opportunity for questions and comments. Most were directed at the Privacy Commissioner’s office.  The first at the microphone was a gentleman.  Just after he started talking he was interrupted by the woman from the library, who yelled at him comments like “who cares what you think”, “who cares what you have to say” and so on.  He had the microphone and she had no right to speak.  When she was finally finished, the gentleman continued with his comments/questions as if she hadn’t spoken.  I admired his patience and fortitude.  I sat in the audience, astounded by this woman from the library, and said nothing.  I should have spoke up but I didn’t.  I would now.

A couple rows behind the microphone sat three women in the last three seats of the row. They ridiculed the people who were speaking at the microphone.   I didn’t get the impression that these women just walked off the street and thought it would be fun to listen to the speeches and then heckle the people in the audience who spoke.  It looked planned.   I, and I’m sure others, gave them dirty looks.  Finally, they left.  But again, I should have spoke up but I didn’t.  I would now.

It seems that you have the right to know, as long as it is what the government and their toadies want you to know (otherwise known as propaganda).

Lack of Independence

Mary Carlson was Executive Director of the Office of the Information and Privacy Commissioner for B.C. She then became Deputy Registrar of the Office of the Registrar of Lobbyists for British Columbia.  The privacy commissioner’s office is suppose to operate independent of the politicians, both provincially and federally.  But, I don’t believe you can operate independently if your next job depends on being “liked” by the politicians.  It’s all smoke and mirrors.

David Loukidelis was the B.C. information commissioner before he accepted the post of deputy attorney-general. As Vaughn Palmer pointed out, by bringing him in-house they silenced a critic (in some areas), at a convenient time and turned the critic into a lap-dog. (Sabotage? Or merely incompetence?, Vaughn Palmer, 25 Jan 2010, View from the Edge).