Ministry of Health fails to protect sensitive personal information: new report

In a report released earlier today, B.C.’s Information and Privacy Commissioner Elizabeth Denham finally opens the door on last year’s data breach at the Ministry of Health and finds “a number of weaknesses in Ministry controls over personal information.”

Denham’s report doesn’t mince words. During her investigation, she found “a complete lack of monitoring, enforcement and evaluation” within the Ministry. “There was no audit at any level of employee or researcher compliance with privacy policies. Nor did the ministry conduct any reviews of privacy provisions in agreements that provide for information sharing” (p. 15).

“This report shows an abject failure to use even basic means to protect our health information,” said Vincent Gogolek, Executive Director of the B.C. Freedom of Information and Privacy Association. “It’s the natural fallout from a government more committed to pushing personal health information out the door than protecting the privacy of British Columbians.”

Around the time his officials were investigating internal reports of these breaches and unauthorized disclosures, former Health Minister Mike De Jong promised to speed up the turnaround time on researcher requests for Ministry data (p.9).

“The government’s priority was providing quick turnaround for contract researchers,” said Gogolek. “Unfortunately, it’s now quite clear that the protection of our health information was not a priority for them whatsoever.”

Even the contracts with researchers were shoddy. Some contracts referred to appendices regarding security controls, but those appendices, Denham finds, did not exist. Other contracts didn’t even include so much as an oath of confidentiality or a specific confidentiality agreement.