More than 4,000 patients and 1,200 Health P.E.I. employees are being notified of a privacy breach after an employee’s laptop was stolen in April.
The stolen laptop was password protected and information technology staff took steps to secure the information as soon as possible, including resetting the password, said Health P.E.I. CEO Dr. Michael Gardam.
“We are fortunate that number one, the information is considered relatively low risk information, and two, we have nothing to suggest any of that information was accessed, because we were able to contact the laptop, change the password, if you log in five times, it locks itself. So there’s nothing to suggest this information actually got out, but it’s still a privacy breach, and we need to learn from it.”
Health P.E.I. has sent letters to all those whose information may have been breached. It said the type of information contained in the files is not considered a risk for identity theft.
Police were notified the day after the theft.
The majority of the information was about the patients’ visits to P.E.I. emergency departments between Sept. 1, 2021, and Oct. 13, 2021, including the reason for the visit, the diagnosis and the name of the treating physician. Names, dates of birth, health card numbers, gender and postal code were included.
Some information — involving fewer than 30 patients — related to individuals who were in hospital awaiting long-term care. It included demographic information, including the patients’ name, health card number and information about their admission to the hospital, including the unit where they were a patient, how long they were admitted to the hospital and the fact that they had been medically discharged.
Personal information belonging to more than 1,200 Health P.E.I. long-term care staff, including names, positions, hours worked and rate of pay, was also on the laptop. No banking information was in the files.
Information and Privacy Commissioner to review
Information and Privacy Commissioner Denise Doiron has been notified of the incident and will conduct a review of the Health P.E.I. privacy breach investigation.
She said there are steps people can take if they think their privacy has been breached.
“The way a person can be on the lookout for that is if they have personal insurance, private health insurance, if there are any costs or claims that go through,that they did not claim, or for services they did not receive, that’s a red flag they should look into. Or if they go to their health-care provider for publicly funded health-care services, medicare, if they’re seeing services that were provided in their name that they didn’t receive, that should be a red flag as well and they should contact Health P.E.I.”
Apology from Health P.E.I. CEO
Gardam issued an apology to the patients and staff who were affected.
“Going forward, we will ensure that we always have de-identified information on laptops, so if the laptop is stolen, all you have are a bunch of numbers so you don’t have anybody’s name or something like that,” he said.
“So these are the kind of things that we’re doing a deep dive right now to learn all that we can from this, to prevent this from happening again.”