Laptop with health data stolen from Northern Canadian gov was unencrypted

A woman types on her laptop in a file photo from December 2016. The N.W.T. government’s Technology Service Centre didn’t encrypt a set of laptops back in 2013 and handed them out to government employees to use, according to internal documents obtained by CBC News. (Wilfredo Lee/Associated Press)

This is the final story on the stolen laptop files. Here’s Part 1 and Part 2.

The Northwest Territories government’s information technology division knew a set of laptops were “very difficult” to encrypt, but still handed it out for government staff to use in 2013, suggest internal documents obtained by CBC News.

One of those unencrypted laptops — which potentially contained health data on nearly the entire territory’s population — was eventually stolen, according to the territorial government.

This information is contained in more than 350 pages of internal Department of Health and Social Services emails and documents discussing the stolen laptop health privacy breach, which CBC News obtained through the Access to Information Act.

Last May, the unencrypted laptop belonging to an employee with the Health Department was stolen from a minivan in a parking garage in ByWard Market in downtown Ottawa.

This particular device was very difficult to encrypt, so it was issued without encryption.

N.W.T.'s chief health privacy officer, in an internal email

It’s estimated the laptop had data on about 40,000 people ” rel=”noopener” target=”_blank”>from every province and territory in Canada, and likely had residents’ sensitive health information about sexually transmitted infections and tuberculosis prognoses, among other diseases.

The laptop, which was used for statistical analysis, has not been found.

The laptop — a Lenovo Helix tablet and laptop hybrid — was one of about 20 to 40 purchased by the N.W.T. government in 2013 “at senior management request,” according to the documents.

Emails describe the Helix laptops as “very old equipment.”

“Although this unit was quite old and is no longer available to [government] staff, there may be as many as 20 still in circulation,” an internal email states from last June, after the theft.

“This creates a privacy risk for the [government] and any data held on those devices.”

All laptops issued by the government’s Technology Service Centre (TSC), run under the Department of Infrastructure, are supposed to be encrypted, according to government officials.

Laptops ‘very difficult’ to encrypt

In the immediate aftermath of the theft, the Health Department “received a blanket statement” from the technology centre that all laptops are encrypted, according to internal emails.

[I] was not informed at any stage that they were not encrypted.

Health department employee whose government-issued laptop was stolen

But a further internal probe found that the government’s Helix laptops were, in fact, not encrypted and were handed out to staff without protections.

“We were initially told that all TSC-issued laptops and computers have full encryption,” wrote the chief health privacy officer in an internal email.

“Subsequently, I have learned that TSC informed the individual (after the theft) that this particular device was very difficult to encrypt, so it was issued without encryption.”

A file photo of Ottawa’s ByWard Market. On May 9, 2018, someone broke into a rented Dodge Grand Caravan parked in the heart of Ottawa’s downtown and stole an N.W.T. government device that potentially contained health data on the majority of the territory’s population. (CBC)

The Helix laptops, which had a Windows 8 operating system, appear to have been incompatible with the government’s encryption software at the time, according to an internal email from the employee responsible for the stolen laptop.

She also said she had no idea the laptop was unencrypted.

“The encryption software available within the [government] was not compatible with those tablets and the tablets were not encrypted,” wrote the employee in an internal email.

“This was not communicated to the 20 or 40 individuals who received them.

“[I] was not informed at any stage that they were not encrypted.”

If we hired health-care professionals here the same way we hire IT people, anyone who can sew something can be a surgeon.

Current IT employee for the N.W.T. government

Additionally, the TSC has a process where it replaces government laptops every three to four years to ensure devices have the latest technology, according to its director.

But the health department employee’s stolen laptop, purchased in 2013, was not registered with the TSC’s system, according to internal documents.

This means the stolen laptop was not flagged to the tech centre for replacing in 2017, the year before the theft.

IT staff unqualified, says source

According to a N.W.T. government employee who currently works in information technology, some staff and managers within the government’s IT division are unqualified to do their jobs. They said in some instances, staff don’t have IT degrees like computer science, but are sometimes transferred into their jobs through questionable internal hiring processes.

Difficult means you can still do it.

Current IT employee for the N.W.T. government

CBC News has agreed to withhold the identity of the IT employee, as they feel speaking out would put their job at risk.

“If we hired health-care professionals here the same way we hire IT people, anyone who can sew something can be a surgeon,” said the IT employee.

An IT employee with the N.W.T. government says there’s a correlation between IT staff’s lack of qualifications and the unencrypted Helix laptops. (Chantal Dubuc/CBC)

The IT employee expressed disbelief about the emails suggesting the laptops were “very difficult” to encrypt.

“I don’t believe it. I can’t,” they said. “Difficult means you can still do it.”

The IT employee added that qualification matters, especially when IT staff are dealing with practices like encryption of laptops.

“They could have [found] some alternate ways [for] encryption,” the IT employee said. “There’s so many software out there — you can virtually encrypt anything.”

Joe Mayer is the vice-president of Toronto-based Identos, a mobile security firm. (Submitted by Joe Mayer)

Joe Mayer, vice-president of Toronto-based company Identos, says encryption should be elementary for IT staff.

“This is sort of basic stuff,” said Mayer, whose company specializes in encryption of mobile devices.

“These things just shouldn’t be missed. And I think people usually get held accountable if this is the case.”

Mayer said if tech staff knew the Lenovo Helix was difficult to encrypt, it should have been removed from government use immediately.

‘High confidence’ in IT staff

Last summer, the Health Department said that the encryption process either failed, missed or “was not detected” by the TSC in the case of the stolen laptop.

At the time the Helix tablet-laptop hybrids were purchased in 2013, the centre was not familiar with encrypting tablets, according to Laurie Gault, director of the government’s TSC.

“We had not previously worked on tablets,” said Gault. “We had not tried [encryption] on these before.”

A file photo of a Lenovo Yoga tablet released in 2013, the same year the company released the Helix laptop. The N.W.T.’s Technology Service Centre purchased the Helix tablet-laptop hybrids the same year. (Anand Ram/CBC)

Gault said the tech centre later introduced specific encryption software for tablets between 2014 and 2015.

There were one or two individuals involved in encrypting the Helix devices at that time, and they have “since left my department,” said Gault.

When asked why the unencrypted laptops were handed out by her staff, she said “there was some urgent need for these. ”

She added that her staff tested the laptops and that the Technology Service Centre realized “after the fact” that the Helix laptops were unencrypted.

When asked if all IT staff and managers are qualified for their jobs, Gault deferred to Human Resources and said she has “high confidence” in her staff.

The Health Department said in an email response that ever since the theft, the Technology Service Centre reviewed all Health Department laptops to ensure they were encrypted.

The department added that the stolen laptop had a strong password.

With files from Alyssa Mosher

Related stories from around the North:

Canada: Chinese-made equipment in Canada’s Arctic ships under scrutiny, CBC News

Sweden: Sweden police chief granted Canadian company access to sensitive data, Radio Sweden

United States: Unsecured database discovered with information from about 600,000 Alaska voters, Alaska Public Media

Priscilla Hwang, CBC News

For more news from Canada visit CBC News.

Do you want to report an error or a typo? Click here!

Leave a Reply

Note: By submitting your comments, you acknowledge that Radio Canada International has the right to reproduce, broadcast and publicize those comments or any part thereof in any manner whatsoever. Radio Canada International does not endorse any of the views posted. Your comments will be pre-moderated and published if they meet netiquette guidelines.
Netiquette »

Your email address will not be published. Required fields are marked *