Thousands of people’s health data on laptop stolen from Canadian territorial gov last year

This story is Part 1 of 3 on the stolen laptop files. Part 2 is scheduled for Tuesday and Part 3 will publish next week.

The number of people whose personal health information was put at risk after a laptop was stolen last year is much higher than the Northwest Territories (central Arctic) government initially reported, and the data breach affects people from every province and territory in Canada, according to internal documents obtained by CBC News.

Last May, a laptop belonging to an employee with the territory’s Department of Health and Social Services was stolen from a locked vehicle during a business trip in Ottawa. The laptop — used to do statistical analysis — was unencrypted but had a strong password, the Health Department said in announcing the breach last summer.

It contained health data for a majority of N.W.T. residents.

The N.W.T. government, which has a long history of health data breaches, has been silent about the stolen laptop since the public announcement in late June — more than six weeks after the theft. One other health data breach has happened since.

A health department spokesperson declined CBC’s request for an interview.

The department launched an internal investigation after the laptop theft, which is also being reviewed by the territory’s privacy commissioner. The N.W.T. privacy commissioner told CBC she recently received the department’s report and aims to complete her own investigation by May.

But documents reveal key updates and unreported details about the privacy breach.

The information is contained in more than 350 pages of internal government emails and documents obtained by CBC through the Access to Information and Privacy Act.

They date from May 9 — the day of the theft — to July 17, 2018, and suggest the laptop contained health data from as far back as 2009.

“We have no way to isolate what data was lost [or was] vulnerable to the breach or who were the subjects of the data,” the chief health privacy officer said in an email on June 19.

The department later relied on the employee’s memory of all potential datasets that may be on the laptop, to do their analysis.

Here’s what the documents further reveal:

50% of residents at risk of identity theft

Less than a week after alerting the public in late June, the Health Department found that 39,145 N.W.T. residents could be affected by the breach — up from the 33,661 figure that was publicly reported. Counting non-residents and unidentified individuals, the total number of people potentially affected exceeds 40,000.

The N.W.T. has a population of about 41,800 people, according to 2016 census data.

The increase was due to finding information that was previously missed, the department said in the documents.

The department also said that upon further analysis, the risk of identity theft “significantly decreased.”

About 47 per cent of N.W.T. residents whose information was contained in the datasets are at “no risk” of identity theft, according to the documents, as they were just identified by health-card numbers.

But the remaining 53 per cent could be at risk of because their names, dates of birth and/or health-card numbers were stored on the laptop.

PAP smears, TB, and colon infections

The documents also reveal that information about specific diseases, tests and vaccinations was potentially stored on the laptop. More than 50 per cent of all the records for N.W.T residents were in a tuberculosis surveillance dataset. With duplicates removed, the second highest number of records were for flu vaccinations.

Thousands of other records were related to HPV vaccinations, C. difficile (colon infections), pap smears, whooping cough, blood tests for tuberculosis, sexually transmitted infections and antibiotic-resistant diseases, among others.

Other information potentially on the laptop included: ethnicity, X-ray results, history of sexual partners, dates of death and “risk status.”

The internal documents say the tuberculosis blood test data was definitely on the laptop, while other data are categorized as “very likely” or “likely” to be on the laptop.

Data source with 100% of residents’ info

In their initial report to the department, the employee who lost the laptop listed the names of the sources, or information systems, used to extract datasets that “may have still been stored” on the laptop.

Among the systems listed is the Health Management Information System (HMIS), “which includes demographic information on 100 per cent of N.W.T. residents,” according to the documents. The documents note that HMIS is regularly updated and is “the most up-to-date source” for residents’ names, dates of birth, communities of residence, sex, health-card numbers and “other important indicators.”

It’s unclear whether HMIS was on the laptop, as the employee suggested they “rarely” worked with the system.

At the end of their report, the employee reiterated: “I cannot with absolute certainty rule in or out the complete list of files absolutely on or not on the [laptop] at the time of the theft.”

Info on Canadians from coast to coast

Information on at least 257 people from every other province and territory was also stored in datasets on the laptop, according to the documents. Most of the non-N.W.T. residents potentially affected by the breach — 71 people — came from the province of Alberta. The fewest, two, came from the province of Prince Edward Island (P.E.I.)

These people could have been visitors to the N.W.T., short-term workers or residents who recently moved, according to the Health Department.

Here’s the full breakdown by jurisdiction:

• 71 from Alberta.
• 46 from B.C.
• 46 from Ontario.
• 23 from Nova Scotia.
• 18 from Saskatchewan.
• 16 from Newfoundland and Labrador.
• 9 from Manitoba.
• 9 from Nunavut.
• 7 from New Brunswick.
• 5 from Quebec.
• 5 from Yukon.
• 2 from P.E.I.

The documents also note there are 634 records with errors or that are missing identifiers.

Police didn’t investigate, case is closed

Ottawa police did not formally investigate the theft, according to internal emails, as there was no video footage available from the area where the car was parked.

“Apparently the City of Ottawa police department receives in excess of 100 theft reports weekly … in the ByWard Market region,” the employee said in one email.

They say a constable told them the laptop was “likely sold for a small sum” and was “likely wiped clean.”

“No investigation was assigned,” states an internal email. “With no leads, the case has been closed.”

Part 2 of this series looks at details on the night the laptop was stolen, and whether the health department has adequate security training. The third story looks at why an unencrypted laptop was being used by health department staff.

Related stories from around the North:

Canada: Chinese-made equipment in Canada’s Arctic ships under scrutiny, CBC News

Sweden: Sweden police chief granted Canadian company access to sensitive data, Radio Sweden

United States: Unsecured database discovered with information from about 600,000 Alaska voters, Alaska Public Media