Northern gov employee given privacy training weeks before laptop with health data stolen
This is part 2 of three stories on the stolen laptop files. Here’s part 1. Part 3 is scheduled for next week.
The Northwest Territories government employee who was responsible for a laptop with health information for nearly the entire territory’s population had received training on how to securely handle portable devices just two weeks before the laptop was stolen in Ottawa last May, according to documents obtained by CBC.
Between 7:56 p.m. and 9:35 p.m., on May 9, 2018, someone broke into a rented Dodge Grand Caravan parked in the heart of Ottawa’s downtown and stole the government device, according to documents.
The N.W.T.’s Department of Health and Social Services later deemed the theft of the unencrypted laptop a data privacy breach. It’s estimated it had stored data on about 40,000 people from every province and territory in Canada, and likely had residents’ sensitive health information about sexually transmitted infections, tuberculosis and C. difficile prognoses, among other diseases, as CBC reported Monday.
Police never formally investigated, and the laptop has not been found.
On the night of the theft, the laptop was inside a backpack belonging to an employee with the Health Department.
She was on a business trip and had dinner plans that Wednesday night in Ottawa’s busy ByWard Market.
This information is contained in more than 350 pages of internal government emails and documents discussing the stolen laptop privacy breach, which CBC obtained through the Access to Information and Privacy Act. Most information about the employee’s identity was redacted in the documents.
That night, the employee had a moment of contemplation in an underground parking garage on George Street.
“I had concerns the knapsack could be taken off my person given the busy streets and sidewalks of the ByWard Market,” wrote the employee in an internal liability report, obtained by CBC.
“I assessed that leaving the knapsack in a locked vehicle with tinted windows in a well-lit parking lot under surveillance cameras was more secure than carrying it.”
The employee said the minivan didn’t have a trunk, so she left the backpack “between the seats behind the centre console,” and put luggage on top of it, according to documents. (The government previously said “the device was in a secure compartment.“)
Also inside the backpack was a file folder with draft reports, her itinerary, and a government of the Northwest Territories notebook with notes from recent meetings and to-do lists.
After driving back to her accommodation, the employee realized that the backpack was stolen while unloading her luggage.
Nothing else was stolen from the car.
“I could easily identify scratches on the plastic door panel … as well as fingerprints on the passenger side doors,” the employee noted later.
A night of searching began.
“[I] did a thorough exploration of public garbage cans and dumpsters, stairwells, elevators, dark alleys and corners, local planters,” wrote the employee.
She called police, reported the theft to two local security companies, and left her contact information at several pawn shops and computer repair shops downtown.
The employee reported the theft to the N.W.T. Health Department by email by 11:25 p.m. that night.
“[I] spent the last three hours sorting through dumpsters, flagging down security guards and revisiting the scene (and other less salubrious corners of Ottawa’s downtown core.) All to no avail,” she wrote in that email.
Questionable privacy training
The Health Department declined an interview request about its privacy training, so it’s unclear if the employee’s training was adequate at the time.
But the documents suggest she did not routinely permanently delete sensitive data files off the laptop.
“Although my practice has since changed, I historically did not delete files immediately after using them and often kept files for later reference,” wrote the employee in an internal report.
Documents reveal that less than two weeks before the theft on April 26, the employee received training on the secure use of portable devices and safeguarding health data.
She attended another training session a month after the theft.
But training for health department staff seems to be a recent and infrequent practice.
Documents suggest health department staff got “general privacy training” after the new Health Information Act came into force in 2015 — but it doesn’t appear to have been routine.
“I do not believe any privacy training has been provided to date by this office’s predecessors,” wrote the chief health privacy officer Jannet Ann Leggett, in an internal email. She started her job in November 2017, according to LinkedIn.
The employee appears to be a manager within the department, based on details left unredacted in the documents. She analyzes health data, and surveils diseases, tests and cancer, among other duties — which explains why she may have had these datasets on the laptop.
The government previously said the employee took it to Ottawa for meetings.
When contacted by CBC, the employee deferred to the department’s media relations.
When asked if managers are held to a different standard than regular employees, the N.W.T.’s information and privacy commissioner Elaine Keenan Bengts said “absolutely not.”
“Everyone should be held to the same standard — and that’s a high standard.”
It’s unclear whether the employee was disciplined. The Health Department has said it doesn’t comment on personnel matters.
Mandatory ‘advanced privacy training’
“I am concerned that databases were on a laptop as opposed to a server within a [government of the N.W.T.] system. I am concerned that somebody was travelling with an unencrypted laptop,” Keenan Bengts told CBC.
“I am concerned that any of this is ever even allowed to happen.”
She recently received the department’s investigation file, and will aim to complete her review by the one-year anniversary of the theft in May.
After declining an interview request, citing the privacy commissioner’s investigation, a spokesperson for the Health Department sent a list of actions that it has planned since the theft going into 2020.
- Mandatory “advanced privacy training” for staff across the territory.
- Creating guidance documents on how to handle sensitive information on portable devices.
- Creating online training modules for health information custodians.
- Appointing a “privacy contact person” in all 13 divisions in the Health Department to ensure new staff get ongoing training.
As of December 2018, the department says 100 per cent of department employees completed “privacy boot camp” training.
Related stories from around the North:
Canada: Chinese-made equipment in Canada’s Arctic ships under scrutiny, CBC News
Sweden: Sweden police chief granted Canadian company access to sensitive data, Radio Sweden
United States: Unsecured database discovered with information from about 600,000 Alaska voters, Alaska Public Media