Laptop with health data stolen from Northern Canadian gov was unencrypted

This is the final story on the stolen laptop files. Here’s Part 1 and Part 2.

The Northwest Territories government’s information technology division knew a set of laptops were “very difficult” to encrypt, but still handed it out for government staff to use in 2013, suggest internal documents obtained by CBC News.

One of those unencrypted laptops — which potentially contained health data on nearly the entire territory’s population — was eventually stolen, according to the territorial government.

This information is contained in more than 350 pages of internal Department of Health and Social Services emails and documents discussing the stolen laptop health privacy breach, which CBC News obtained through the Access to Information Act.

Last May, the unencrypted laptop belonging to an employee with the Health Department was stolen from a minivan in a parking garage in ByWard Market in downtown Ottawa.

It’s estimated the laptop had data on about 40,000 people ” rel=”noopener” target=”_blank”>from every province and territory in Canada, and likely had residents’ sensitive health information about sexually transmitted infections and tuberculosis prognoses, among other diseases.

The laptop, which was used for statistical analysis, has not been found.

The laptop — a Lenovo Helix tablet and laptop hybrid — was one of about 20 to 40 purchased by the N.W.T. government in 2013 “at senior management request,” according to the documents.

Emails describe the Helix laptops as “very old equipment.”

“Although this unit was quite old and is no longer available to [government] staff, there may be as many as 20 still in circulation,” an internal email states from last June, after the theft.

“This creates a privacy risk for the [government] and any data held on those devices.”

All laptops issued by the government’s Technology Service Centre (TSC), run under the Department of Infrastructure, are supposed to be encrypted, according to government officials.

Laptops ‘very difficult’ to encrypt

In the immediate aftermath of the theft, the Health Department “received a blanket statement” from the technology centre that all laptops are encrypted, according to internal emails.

But a further internal probe found that the government’s Helix laptops were, in fact, not encrypted and were handed out to staff without protections.

“We were initially told that all TSC-issued laptops and computers have full encryption,” wrote the chief health privacy officer in an internal email.

“Subsequently, I have learned that TSC informed the individual (after the theft) that this particular device was very difficult to encrypt, so it was issued without encryption.”

The Helix laptops, which had a Windows 8 operating system, appear to have been incompatible with the government’s encryption software at the time, according to an internal email from the employee responsible for the stolen laptop.

She also said she had no idea the laptop was unencrypted.

“The encryption software available within the [government] was not compatible with those tablets and the tablets were not encrypted,” wrote the employee in an internal email.

“This was not communicated to the 20 or 40 individuals who received them.

“[I] was not informed at any stage that they were not encrypted.”

Additionally, the TSC has a process where it replaces government laptops every three to four years to ensure devices have the latest technology, according to its director.

But the health department employee’s stolen laptop, purchased in 2013, was not registered with the TSC’s system, according to internal documents.

This means the stolen laptop was not flagged to the tech centre for replacing in 2017, the year before the theft.

IT staff unqualified, says source

According to a N.W.T. government employee who currently works in information technology, some staff and managers within the government’s IT division are unqualified to do their jobs. They said in some instances, staff don’t have IT degrees like computer science, but are sometimes transferred into their jobs through questionable internal hiring processes.

CBC News has agreed to withhold the identity of the IT employee, as they feel speaking out would put their job at risk.

“If we hired health-care professionals here the same way we hire IT people, anyone who can sew something can be a surgeon,” said the IT employee.

The IT employee expressed disbelief about the emails suggesting the laptops were “very difficult” to encrypt.

“I don’t believe it. I can’t,” they said. “Difficult means you can still do it.”

The IT employee added that qualification matters, especially when IT staff are dealing with practices like encryption of laptops.

“They could have [found] some alternate ways [for] encryption,” the IT employee said. “There’s so many software out there — you can virtually encrypt anything.”

Joe Mayer, vice-president of Toronto-based company Identos, says encryption should be elementary for IT staff.

“This is sort of basic stuff,” said Mayer, whose company specializes in encryption of mobile devices.

“These things just shouldn’t be missed. And I think people usually get held accountable if this is the case.”

Mayer said if tech staff knew the Lenovo Helix was difficult to encrypt, it should have been removed from government use immediately.

‘High confidence’ in IT staff

Last summer, the Health Department said that the encryption process either failed, missed or “was not detected” by the TSC in the case of the stolen laptop.

At the time the Helix tablet-laptop hybrids were purchased in 2013, the centre was not familiar with encrypting tablets, according to Laurie Gault, director of the government’s TSC.

“We had not previously worked on tablets,” said Gault. “We had not tried [encryption] on these before.”

Gault said the tech centre later introduced specific encryption software for tablets between 2014 and 2015.

There were one or two individuals involved in encrypting the Helix devices at that time, and they have “since left my department,” said Gault.

When asked why the unencrypted laptops were handed out by her staff, she said “there was some urgent need for these. ”

She added that her staff tested the laptops and that the Technology Service Centre realized “after the fact” that the Helix laptops were unencrypted.

When asked if all IT staff and managers are qualified for their jobs, Gault deferred to Human Resources and said she has “high confidence” in her staff.

The Health Department said in an email response that ever since the theft, the Technology Service Centre reviewed all Health Department laptops to ensure they were encrypted.

The department added that the stolen laptop had a strong password.