Alberta Health Minister Fred Horne claims to be outraged he’s only just learned the personal health records of 620,000 Albertans were on a laptop computer that disappeared, presumably stolen, in Edmonton last September. And well he should be.
But no one in a position of responsibility seems all that concerned that the records — which included names, birthdays, health card numbers, billing codes and diagnostic codes of enough patients to fill the Edmonton Oilers’ planned new hockey arena 31 times — were on a private IT consultant’s unencrypted computer lying around the offices of a private company that operates a string of 16 medical clinics.
That’s just one of those things, here in free-enterprise Alberta.
A cynical observer of the Redford Government’s effort to tiptoe toward more privatization on the edges of Alberta’s health-care system might see a problem in the lack of accountability endemic to private firms like Medicentres Family Health Clinics, the outfit whose computer consultant had all the data on his unencrypted laptop because … well, because it must have seemed like a good idea at the time.
But that kind of thinking is not encouraged. Accordingly, the minister and the media focused on the detail of how long it took Medicentres to get the information to the Health Department — almost four months — without anyone seeming to particularly want to admit the two issues might be related.
In fairness, private records have gone missing from public offices in the past too — though never on anything like this scale. But when that happens, it’s much easier to take corrective action so it won’t happen again without passing legislation to do it. It’s that accountability thing again.
For his part, Dr. Arif Bhimji the company’s chief medical officer told the local media that rather than rush to bring the minister into the loop, Medicentres decided to do its own investigation first and, as the paper put it, “make sure clients’ information was protected going forward.”
Anyway, the company didn’t actually have to tell the minister or anyone else, it turns out, because the province’s privacy laws have more holes in them than the proverbial block of Swiss cheese.
“Currently, there are no provisions under Alberta’s Health Information Act requiring a health custodian to report a breach to my office or notify affected individuals,” Alberta Privacy Commissioner Jill Clayton said in a statement. “When we do receive reports of this nature, it is done on a voluntary basis. Decisions about when and if affected individuals will be notified of a breach are the responsibility of the custodian. I have no authority to require custodians to notify affected individuals.”
So presumably Medicentres went above and beyond the call of duty when they not only called the cops, but reported the loss to the Privacy Commissioner, both on Oct. 1.
But that’s where the reporting chain seems to have stopped until recently. As a spokesperson for the commissioner’s office told the local press, the commissioner didn’t pass the information on to the minister or tell the company to do so either. It’s not in the law, dontcha know!
Well, no one will ever say Alberta ties up private businesses with red tape! Still, that particular lack of red tape an interesting development that I bet lots of Albertans were none too happy to learn about!
There will be investigations aplenty now, rest assured, and perhaps even new legislation somewhere down the line — if only to prevent Horne from having to suffer the unexpected indignity of such media questions in the future.
But don’t look for changes that actually make private companies much more accountable, though.
If you’re someone who visited a Medicentre clinic in Edmonton or Calgary between May 2, 2011, and Sept. 19, 2013, you have one more thing to think about.
As for the computer, they’re still looking for it. It’s about the size of a … oh never mind.
This post also appears on David Climenhaga’s blog, Alberta Diary.