box10.gif (1299 bytes)







Privacy and security

Patient photos and information on hard drive lost by hospital

EDMONTON – Two surgery videos and 3,600 photos of wounds, lab specimens and dead infants, all labelled with the patients’ names, went missing during an office move at the Misericordia Hospital in January, Covenant Health announced earlier this month.

The external hard drive, about the size of a book, was put under a desk during the move and couldn’t be found a week and a half later. The files were not originals, only four of the files have birth dates attached, and none contain financial information, but the hard drive should have been encrypted, said Covenant Health president Patrick Dumelie (pictured).

“In this case, a staff member did not follow policy,” he said. “We have a very solid policy that just wasn’t followed.”

The Office of the Information and Privacy Commissioner will be investigating, he added.

The loss of personal medical data follows several other cases in Alberta and shows the rules about handling confidential patient information need to be written into law, said Friends of Medicare director David Eggen, speaking after the announcement.

“This is a big concern and the government needs to standardize and reinforce the confidentiality rules that come from the provincial government, so we don’t see incidents like this in the future,” he said.

“It really compromises the sense of security that a family has around our public health system. Especially considering how this government is contracting out more services, confidentiality has never been more in peril.”

The hard drive was last seen Jan. 17. The employee returned to his old office and noticed it was missing on Jan. 28. Covenant Health told Frank Work, the provincial privacy officer, about the incident on Feb. 3, and instructed each manager to search their areas of the hospital to try to find the drive, a search that proved futile.

“I want to sincerely apologize to all of those patients and families for this incident and any distress this may have caused,” said Dumelie. “I also want to reassure anyone who comes to our facilities for care; changes have been made and we are working with staff and the Office of the Information and Privacy Commissioner to prevent this from happening again.”

The files did not contain financial information. While they did contain patients’ names, only four of the missing copies may contain patients’ dates of birth, financial or other private information.

The images were copies, and the originals are still stored on secure Covenant Health servers, Dumelie said.

Covenant Health Protective Services did an internal investigation but found no signs of break-in, leading them to believe the hard drive was not targeted, Dumelie added. “We believe there’s limited or no risk of identity theft.”

Posted March 24, 2011