Information and Privacy Commissioner / Ontario ORDER HO-004 Ann Cavoukian, Ph.D. Commissioner March 2007
BACKGROUND On January 15, 2007, the Office of the Information and Privacy Commissioner/Ontario (IPC) was contacted regarding a stolen laptop computer belonging to the Hospital for Sick Children (SickKids). The laptop contained the personal health information (PHI) of current and former SickKids patients. The IPC immediately commenced an investigation of this incident, pursuant to the Personal Health Information Protection Act (the Act). NATURE OF THE INCIDENT On January 4, 2007, a physician at SickKids, who is both a clinician and a researcher, left the hospital with one of its laptop computers, with the intention of taking it home to analyse research data that was stored on it. However, the physician did not go directly home. Instead, he parked his vehicle, a minivan, in a Toronto Parking Authority parking lot in downtown Toronto between the hours of 7:30 p.m and 11:00 p.m. Given that the minivan had no trunk, he placed the laptop computer between the front seats and covered it with a blanket. When he returned to his vehicle, the front passenger window had been broken and the laptop was gone. The physician immediately filed a vehicle break-in report with the Toronto Parking Authority and, on the Toronto Police Service’s advice, filed a police report the following morning. To date, the police have not recovered the laptop computer. On January 5, 2007, the physician notified his department head and the Chair of the Research Ethics Board, who, in turn, notified SickKids’ Privacy Contact on January 9, 2007. On January 10, 2007, members of the senior management team met, where it was determined that the incident warranted action as set out in SickKids’ policy entitled “Management of Critical Occurrences” (MCO). Implementation of this policy involved notification of the appropriate people, including patients and their families, and conducting an internal investigation in order to identify systems-related issues and make recommendations to prevent a reoccurrence, assign responsibilities, and establish timelines for implementation. One of the objectives of the internal investigation was to determine the nature of the data contained on the laptop computer. SickKids advised the IPC that the data consisted of Excel spreadsheets containing the personal health information (PHI) of approximately 2,900 current and former SickKids patients involved in five prospective research studies and five retrospective research studies. Approximately 157 patients are involved in the prospective studies and approximately 2,700 patients are involved in the retrospective studies. A prospective study requires the patient’s consent, as the patient receives treatment during participation in the study. As such, the patient is aware that his/her PHI is being used for research purposes. A retrospective study generally consists of a review of the records of past patients. A research ethics board may, under certain circumstances, approve a waiver of the consent requirement for such studies. The Research Ethics Board (REB), established by SickKids, had approved all ten studies and the waiver of the consent requirement for all five retrospective studies.
The amount of information pertaining to each patient varied, but all cases involved identifiable PHI. At a minimum, the patient’s name and SickKids Hospital Number was included on the spreadsheets. In addition, in each case, some information relating to the patient’s medical condition was included in the data, such as vascular testing measures, operative dates, surgical details, and/or diagnoses. In some, but not all cases, very sensitive information was also included, such as answers provided in interviews and questionnaires relating to morbidity and mortality details, perceptions of quality of life, drug therapy, and patients’ HIV status. The physician was one of seven co-investigators involved in the research studies, and, in two studies, was the principal investigator. Some of the patient information in one of the retrospective studies had been provided to SickKids by another hospital, the University Health Network (UHN), who was collaborating with SickKids on the study. All of the patients in the retrospective studies had transitioned from childhood to adulthood, 350 of whom were treated at UHN. All of the data stored on the laptop was also saved on SickKids’ main server. The only laptop security was an eight character alpha numeric login password. No encryption of any data had been enabled, at either the file or disk level. At the time of the incident, remote encrypted access to PHI in shared folders was available to researchers through standard commercial software via a Virtual Private Network (VPN), and to clinicians for access to clinical applications through commercial software called Citrix™. SickKids acknowledges that the researcher could have accessed this data remotely, which would have eliminated the need to remove it from the hospital on the laptop computer. SickKids also acknowledges that, in this particular case, the research data needed did not have to be accessed in identifiable form. CONDUCT OF THE REVIEW The IPC was initially advised of the theft of the laptop on January 15, 2007. Additional information was provided by SickKids in meetings with the IPC on January 26, 2007 and February 15, 2007, by way of a written report dated February 1, 2007 submitted to the IPC, and by way of written submissions dated March 2, 2007, in response to the IPC’s request for written submissions. As a result of the incident and as part of its MCO policy, a number of steps are being taken by SickKids to prevent a reoccurrence of this type. A review of its current policies and practices regarding portable computing devices, the use of encryption, and remote access is presently underway. As a preliminary precaution, an alert was sent out to staff members via the hospital’s intranet “daily news” and “tip of the day” that stated: Any identifiable patient information must not leave the hospital, whether the material is “physical” (e.g. health record or x-ray) or “electronic” (e.g. on a laptop or flashcard). This includes research databases with identifiable patient information. Please note that it is a breach of hospital policy to have identifiable patient information leave the premises of the hospital. Please make sure that none of your electronic materials contain identifiable patient material.
SickKids’ Privacy/IT/Risk Working Group met to discuss theft and preventative precautions, including a discussion of the issue of providing easier access to the central servers to lessen the use of “roaming devices.” In addition, consultation with the other research investigators took place to determine the most appropriate method of patient/family notification, and consultation with representatives of UHN took place to obtain patient contact information. SickKids’ REB has now mandated that all PHI stored and used for research purposes must be de-identified through the use of unique identifiers that cannot be traced back to a particular patient without the use of a legend to “crack” the code. The REB and the Clinical Research Office are planning to conduct random audits to ensure compliance and are contemplating penalties for those researchers who do not comply with the new process. SickKids’ Information Technology (IT) department is also seeking proposals from vendors relating to encryption software that can be effectively used on endpoint devices. With respect to patient notification of the privacy breach, all active patients, that is, those who have been seen at SickKids within the last two years, for which SickKids has current contact information, have been notified of the incident by way of a written letter from SickKids. In those cases where the information contained on the laptop computer was of a sensitive nature, the patients and their families are being notified of the theft in person, at clinic appointments. It is worth noting that approximately one third of the patients affected by this incident are deceased. In addition, on March 1, 2007, SickKids issued a press release, which is also posted on its Internet site. The hospital provided to the IPC copies of its IT Strategic and Action Plans and a number of policies and procedures that relate to the confidentiality and privacy of both personal information and PHI, theft/loss prevention and reporting, computer information security, clinical systems education, ethical conduct of research, and consent issues in research. I would like to acknowledge the full cooperation given to my staff by SickKids during the course of this investigation. Staff of the hospital was at all times fully engaged in ensuring that a comprehensive investigation was completed and that meaningful measures are put into place to prevent a reoccurrence of this type of incident. I have nothing but praise for the cooperation extended.
ISSUES ARISING FROM THE REVIEW I identified the following issues, which will be discussed in turn, as arising from this review: (A) Are the records at issue “records” of “personal health information” as defined in sections 2 and 4 of the Act? (B) Is SickKids a “health information custodian” as defined in section 3(1) of the Act? (C) Did SickKids, as the health information custodian, comply with sections 12(1) and 12(2) of the Act? (D) Did SickKids, as the health information custodian, comply with section 13(1) of the Act? (E) Did SickKids, as the health information custodian, comply with sections 37(1)(j) and 37(3) of the Act? (F) Did SickKids, as the health information custodian, comply with section 10(1) of the Act? RESULTS OF THE INVESTIGATION Issue A: Are the records at issue “records” of “personal health information” as defined in sections 2 and 4 of the Act? Section 2 of the Act defines a record as: …a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record. Section 4(1) of the Act states, in part: In this Act, “personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information, (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, (b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, or (f) is the individual’s health number.
Identifying information is defined in section 4(2) of the Act as information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be used, either alone or with other information, to identify an individual. The data stored on the stolen laptop consisted of the name and hospital number of each patient/ research subject and is, therefore, identifiable. In addition, in each case, some form of clinical information about the patient was included, such as testing dates and measures, and diagnoses, and in some cases extremely sensitive PHI was included, such as HIV status, morbidity and mortality rates and drug therapy. Each patient included in the research study is currently a patient at SickKids or was a patient at some point in the past. A person reading the data would be able to ascertain that the individuals, who are named, had health issues that were diagnosed and/or treated at SickKids, therefore meeting the criteria for PHI as set out in the Act. I therefore find that the information stored on the laptop computer consists of records of personal health information as defined in sections 2 and 4 of the Act. The hospital does not dispute this finding. Issue B: Is SickKids a “health information custodian” as defined in section 3(1) of the Act? Section 3(1) of the Act states, in part: “health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any: 4. A person who operates one of the following facilities, programs or services: i. A hospital within the meaning of the Public Hospitals Act… I find that SickKids is a health information custodian, as it is the person who operates the hospital, which is a hospital within the meaning of the Public Hospitals Act. In addition, SickKids had custody and control of the PHI, as a result of both providing treatment to the affected individuals and conducting research utilizing the PHI of the affected individuals. SickKids therefore meets the definition of custodian as set out in section 3(1)4i of the Act. The hospital does not dispute this finding.
Issue C: Did SickKids, as the health information custodian, comply with section 12(1) and (2) of the Act? Section 12(1) of the Act provides as follows: A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. Section 12(2) of the Act provides as follows: Subject to subsection (3), and subject to the exceptions and additional requirements, if any, that are prescribed, a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost or accessed by unauthorized persons. Section 12(1) of the Act Based on information provided by SickKids, namely the fact that the physician was able to remove identifiable PHI from SickKids’ premises and store it on a laptop computer with only a single level password and in unencrypted form, I am not satisfied that SickKids has taken steps that were reasonable in the circumstances to ensure that the PHI in its custody or control was protected against theft, loss and unauthorized use or disclosure, as required under section 12(1) of the Act. SickKids provided the IPC with copies of its IT Strategic and Action Plans. The Strategic Plan was last updated in February 2004 and states, in part: …security is an underlying principle of electronic access, thus security of the infrastructure is of paramount importance. The correct approach to security is a multi-layered approach with each layer offering an incremental level of access to the core – the electronic data itself. We will continue to apply this approach and employ best security practices at each layer of the infrastructure. The plan illustrates the building blocks of the IT infrastructure with a diagram, depicting the network, servers and storage, common application enablers and access devices. Laptop computers are considered access devices. While the Strategic Plan clearly envisions the security of health information, it is limited in that it does not set out how the proposed security goals will be implemented on a hospital-wide basis. Similarly, SickKids’ IT Action Plan, updated in September 2006, only sets out the steps that will be taken to ensure access to PHI by clinicians. For example, the hospital will “provide easy, secure and reliable remote access to clinical, research and education data,” and indicates that
the hospital will “continue the standardization of desktops and implement laptop standards to better support the recovery process.” The document appears to place importance on improving access to PHI, appropriately so in my view. However, equally appropriate matching efforts to ensure the security and privacy of that PHI, are lacking. SickKids has a number of general policies that make reference to the security of PHI and/or personal information. For example, the policy entitled Privacy of Personal Information states: Security safeguards appropriate to the sensitivity of the information will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. SICKKIDS will protect personal information regardless of the format in which it is held. The methods of protection include physical, organizational and technological measures. In addition, its policy entitled Confidentiality of Information indicates that: [the] removal of confidential information in any form from the Hospital premises is discouraged and must comply with established practices. Anyone removing confidential information is accountable for protecting such information until it is safely returned to the Hospital. The policy entitled Computer Information Security states that: …computers and data can be accidentally destroyed or stolen. It is the responsibility of all users to protect the information stored on their personal computers. The more confidential and sensitive the information, the more comprehensive the measures to protect it must be taken. The policy then provides examples of security measures, such as locking laptop computers out of sight when not in use, storing confidential information on a secure system with password access restrictions, using password protection and/or encryption on disks, and encrypting confidential information that is electronically transmitted over public networks such as the Internet. There is also a policy entitled Theft/Loss Prevention and Reporting, which states that laptop computers are to be stored in secured cabinets. Finally, SickKids has a Workstation Software policy that sets out the types of permitted and prohibited software on workstation and notebook computers. There is no reference to encryption in this policy. Although the policies provided to the IPC by SickKids recognize the risks involved with identifiable PHI contained on laptop computers, they do not provide specific guidance as to how to reduce, or indeed, eliminate the risk by ensuring the security of the PHI. For example: • the removal of confidential information from the facility is not prohibited, rather it is only “discouraged;” • although the policies and procedures recognize that appropriate security safeguards are necessary, specific guidance is not provided as to what measures must be taken; and
• a variety of security measures are identified, however minimum standards, such as the mandatory use of encryption for PHI, are not established. There is a further concern raised by our review of the policies and procedures and information gathered at our meetings. We understand that latitude is given to each department to establish its own security practices and standards. In some cases, the onus of ensuring appropriate security measures appears to be placed on individual staff members. Given the importance of the security of PHI, SickKids must ensure that it has a comprehensive corporate policy established and put into place, and that all staff are informed and educated about this policy. In addition, it should not be left to the discretion or judgement of individual staff members to determine how to ensure that appropriate security measures are in place. This incident is an excellent example of why a comprehensive corporate policy encompassing all departments of a large institution such as SickKids is vital. A staff member demonstrated poor judgement in leaving a laptop computer in a vehicle (despite attempts to conceal it) in a parking lot in downtown Toronto, an area targeted by thieves. That laptop contained identifiable patient information in unencrypted form. A written and enforced corporate policy prohibiting the removal of identifiable patient information from the hospital might have prevented this incident. Similarly, a clear corporate policy requiring the encryption of PHI on desktop and laptop computers would have provided an essential level of protection. Finally, the enabling of all computing devices with the appropriate security protections by the hospital’s IT department would not have left this important function to be decided by an individual staff member. Corporate responsibility for security recognizes that technical safeguards may become outdated over time as technology evolves. Password protection, which is extensively canvassed in SickKids’ policies, can no longer be considered to provide adequate security. Password “crackers” are easily available and may well be part of a network administrator’s tool kit in order to help staff who have forgotten or lost their passwords. PHI of this very sensitive nature must be either de-identified or encrypted if on disk, e-mailed or stored on a laptop computer. Encryption is a common and potentially effective mitigation to the risks associated with having PHI accessed outside of normal network protections. Encryption is the practice of encoding a message or data in such a manner as to render it into a meaningless array of letters, numbers and symbols. Such encoding, or encryption, is accomplished by the use of a computer algorithm and encryption keys. If relatively current encryption tools are used, PHI is effectively rendered meaningless. This significantly reduces the risk of a privacy breach to a truly negligible level, provided that the encryption keys are not included with or in the lost or stolen laptop. While encryption may have an impact on system performance, it so clearly addresses the risk of a privacy breach that the onus must be on the organization to justify not using it. For health information custodians, the encryption of PHI on vulnerable computing devices, particularly laptops, should now be viewed as the rule, not the exception. An alternative to the use of encryption is to refrain from travelling with PHI, leaving it on secure servers, and accessing it remotely through a secure connection or through a VPN. One example of remote access is the Internet itself. Browsers allow access to information on remote
and secure servers, without necessarily having to have a copy of the information on the local computer. Browsers can be set not to retain local copies of the data presented, and web sites can be set to allow only authenticated users to have access. Alternatively, a VPN is a special type of remote access in which a secure connection is made between a remote computer, such as a laptop, and the computer network at the organization’s office. This typically requires an internet connection, but does not use a web browser. A VPN allows remote users to access most or all of the features of the organization’s network as if they were in the office. While both remote access and VPN’s may present different sets of risks, when properly set up, they will reduce or eliminate the privacy impact of having a stolen or lost laptop computer. SickKids acknowledges that they lacked cohesive hospital-wide, up-to-date policies and practices that set out the specific responsibility and steps required to ensure the security and privacy of PHI stored on laptops. SickKids also acknowledges that, as the health information custodian, it is responsible for ensuring that these policies and practices are in place, across all its departments, including, but not limited to, the corporate, research and IT departments. As noted earlier, SickKids has taken an excellent first step in establishing comprehensive, corporate-wide policies by prohibiting the removal of any identifiable patient information from its premises. In its written representations, SickKids has advised the IPC that it has initiated a comprehensive review of its current policies and procedures to ensure consistent and mandatory levels of security protection are applied across all departments by clinicians and researchers. In meeting this objective, SickKids’ Privacy Committee has devised a hospital-wide “Privacy Improvements Project Plan,” which is intended to specifically address the security risks involved with PHI contained on mobile computing devices. This includes the development of three new policies on the topics of security of PHI, removal of identifiable health information and the use and control of laptop computers and portable storage devices. These policies will reflect and incorporate current technological advances available to safeguard PHI, and will be supplemented by a newly devised staff education and training program. Lastly, SickKids has advised the IPC that it is also working on a project to implement a centrally managed encryption solution that will protect any type of confidential data copied to a mobile computing device. In summary, based on a review of the policies provided to the IPC, although SickKids is in the process of developing new policies, at the time of this incident, there was no consistent policy in place at SickKids that set out minimum mandatory levels of security and privacy protection, nor a policy that set out how a clinician/researcher could obtain this level of protection. As a result, I am not satisfied that SickKids meets the requirements of section 12(1) of the Act. Section 12(2) of the Act With respect to section 12(2) of the Act, I find that there are reasonable grounds to believe that the PHI may have been accessed by unauthorized persons, namely the person(s) who stole the laptop computer and its recipient(s). Although the laptop computer was password protected,
there are products currently available on the market that can “crack” passwords with remarkable speed and ease, making the PHI readily available to the unauthorized user. I also note that the information on this particular stolen laptop computer is highly sensitive. It consists of PHI, including, in some cases, medical diagnoses. In other cases, the data touches on family members as well. The affected individuals and their family members would clearly be very upset if this PHI fell into the wrong hands. In meetings with the IPC, SickKids advised the IPC that it agrees that section 12(2) applies in this situation. Given that the majority of affected individuals had transitioned to adulthood and were no longer active patients at SickKids or were deceased, notification was particularly challenging in this case. The contact information for these patients was most likely out of date and any attempt to provide written notification might cause a further privacy breach. In its written submissions, SickKids indicates that it has demonstrated full compliance with section 12(2) in that: • SickKids has sent out written letters to active patients with current contact information, notifying them of the breach and providing a contact person should questions arise; • SickKids is informing active patients whose PHI was of a particularly sensitive nature in person at their next scheduled clinic appointment; and • SickKids issued a press release on March 1, 2007, which is also posted on its Internet site. The press release provides information about the breach and designates a contact person the public may contact with any inquiries. Based on the above information provided by SickKids and the particular circumstances of this case, namely, the challenge in notification given the outdated and unreliable patient contact information, and the resulting risk to privacy in attempting to send letters to those addresses, I find that SickKids has complied with the notification requirement of section 12(2) by notifying the active patients individually, either verbally or in writing, and by issuing a press release to the public, and by posting it on its website. Issue D: Did SickKids, as the health information custodian, comply with section 13(1) of the Act? Section 13(1) of the Act provides as follows: A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any. SickKids advised the IPC that all of the PHI that was stored on the laptop computer was not permanently lost, as it was also saved on the main server. 0
Notwithstanding the fact that the PHI was “backed up” on the main server, it cannot be said that the information was retained securely, given the theft of the laptop computer, and the absence of appropriate security measures as noted above. As discussed in detail under “Issue C” of this document, while many of SickKids’ policies refer to the importance of the security of “confidential” information, the policies are inconsistent. They do not clearly set out the specific steps required to ensure that security, and are not in keeping with current technological advances. In its written submissions, SickKids has advised the IPC that it is exploring alternative safeguards to those presently in place to ensure that its security practices are in keeping with evolving technological advances and current industry standards. As a result, I find that SickKids, as the health information custodian, did not ensure that the records of PHI in its custody or under its control were retained in a secure manner and, therefore, did