The next morning, the doctor reported the theft to the police, his head of department and the chair of the research ethics board.
The hospital’s senior management team was notified through the ethics board and convened to trigger the hospital’s ‘Critical Occurrences’ policy. They also brought the incident to the attention of the province’s Information and Privacy Commissioner (the regulatory authority responsible for personal data protection).
Several actions followed, including:
(Click on each tab for further elaboration)
Notification to subjects / families about the security breach
Letters were delivered to all 300 subjects who were still active patients, for whom the hospital retained up-to-date contact information.
Where the data at risk was of a highly sensitive nature, the subjects were notified in person during clinic appointments.
As the contact information for former patients was likely outdated, it was decided that former patients would not be contacted individually. To do so might lead to further privacy breaches if letters were delivered to the wrong addresses.
However, the hospital issued a press release about the incident and posted the news on the hospital’s website. Contact information was provided so that any concerned individuals could get further advice.
Review of policies and practices to avoid re-occurrence
Pursuant to investigations into the incident, the Information and Privacy Commissioner issued a Health Order to the hospital in March 2007. In her order, she stressed the importance of a multi-layered security approach to patients’ information, citing the use of encryption, remote access to central servers and staff training.
As a result, the hospital enforced a corporate policy that restricted removal of identifiable patient information in any form (physical or electronic) out of the hospital. Where this is unavoidable, the information must be de-identified or encrypted.
For further details about the case, read the full Order HO-004 (Cavoukian, 2007).