An Edmonton woman has launched an $11-million class action lawsuit against Medicentres over a stolen laptop that contained the health information of 620,000 Albertans. The court file alleges that Medicentres was negligent in failing to protect private information and taking more than four months to tell patients about the privacy breach.

The laptop, belonging to an IT consultant working at Medicentres in Edmonton, contained the names, dates of birth, provincial health card numbers, billing codes and diagnostic codes of the individuals seen at Medicentre Family Health Care Clinics between May 2, 2011, and Sept. 10, 2013.

The unencrypted laptop went missing in September, but the public and Alberta’s Health Minister were not told about the theft until third week of January. The healthcare provider reported the incident to local police and the Office of the Information and Privacy Commissioner of Alberta on Oct. 1, 2013, but Medicentres’ chief medical officer stated that the they only began notifying affected patients in January because they had been busy “reviewing policies and procedures” in the wake of the incident. That included assessing the data that was contained on the stolen laptop; conducting security risk and administrative audits; implementing corrective actions, such as encrypting for all portable computing devices; and setting up a call center to assist affected patients.

In Canada, health privacy is mostly within provincial jurisdiction. The Health Information Act of Alberta is a relatively old statute, which pre-dates the more recent trend toward requiring notification in the event of data breaches. The more modern provincial statutes, such as the Personal Health Information Protection Act of Ontario, have strict notification requirements.

“Reporting a breach is not mandatory under the HIA,” says a statement on the Office of the Information and Privacy Commissioner of Alberta’s website. “Even so, reporting a breach to the OIPC is a good practice for the following reasons:

• A decision to notify the OIPC is viewed as a positive action by the public. It tells your patients and the public that you view the protection of health information as an important and  serious matter. This may enhance patient/public confidence.
• The OIPC can provide advice or guidance in responding to  the incident.
• It will assist the OIPC in responding to inquiries made by the public and managing any complaints that may be received as a result of the breach.”

With respect to data security best practices, consider whether it is ever a good idea to give a contractor 620,000 records on a mobile device. Even so, any personal health information on a laptop computer or other mobile storage device must be encrypted.

In the U.S., data breaches involving the loss or theft of unencrypted computing devices have been responsible for more than half of the 804 major breaches confirmed since September 2009, according the U.S. Department of Health and Human Services.

The Alberta Medicentres breach believed to be one of the largest health data breaches ever reported in Canada.