Toronto Western Hospital eye clinic, overseen by the University Health Network, had to issue a mea culpa when three USB memory sticks went missing, triggering a health data breach and affecting approximately 18,000 people. The devices were not protected with medical encryption software, which was against hospital computer security policies. The use of AlertBoot would have provided the required protection because it automatically encrypts USB drives.
Ontario Health Care Organizations Must Protect Health Information
The breach occurred around “the second week of September.” The hospital’s management has revealed they’re not quite sure how or when exactly the USB drives were stolen. Indeed, they keep using the word “disappeared” when describing the loss of the USB device.
It was also revealed that the Ontario privacy commissioner had given three orders for the USB keys to be protected with the likes of encryption software, and that the data on them could go as far back as 1997. Which, under the circumstances, sounds like a disaster waiting to happen, especially because all three USB drives were kept on a single key ring.
I only mention this because it seems like an excellent way to lose all three devices at the same time. (Of course, in the hospital’s defense, losing them one by one is not exactly an alternative. Sometimes, you want to put all of your eggs in a basket and never take off your eyes off that basket.)
Breached patient information includes “patients’ names, addresses, phone numbers, health card numbers and ‘procedure codes’ outlining the nature of their appointments at the eye centre.”
Regarding the data breach, the Ontario privacy commissioner noted that the situation will be investigated, adding (my emphasis):
“My office has issued several orders which state that personal health information must not be retained on any type of mobile storage device . . . unless it is absolutely necessary and if so, then that it must be encrypted,” Cavoukian said.
“I urge all Ontario health care organizations to review their practices relating to the use of unencrypted mobile storage devices immediately and ensure that (personal) health information is strongly protected at all times.”
There you have it. If you happen to be operating in Ontario, you either do not store personal health information on mobile devices (which include laptop computers, smartphones, and tablet computers like the iPad) or you use encryption. There really isn’t any other option.
Related Articles and Sites: