U of L health data breach affects more than 1,200 patients

A health centre staff member at the University of Lethbridge included confidential information in a non-encrypted spreadsheet and accidentally emailed it to a student last month.

Elsa Perry of Calgary is one of the more than 1,200 patients affected by the error.

Perry was a PhD student in Lethbridge but moved back to Calgary in 2019. While she studied there, she used the school's on-campus health centre.

Earlier this month, Perry received what she calls an alarming email regarding her history at the clinic.

"The email was letting me know there had been a data breach," Perry said.

"Astaff member had placed my confidential information including my full birth name, my birth date, and my personal health number on a non-encrypted spreadsheet, and then accidentally emailed that to a student."

CBCNews received an emailed statement from the University of Lethbridgethat said other information, including genderand a list of family physicians the patientshad seen dating back to 2015,was also included.

The violation affects1,225 patients, who werestudents, staff and faculty.

No other information was included in the document.

Email deleted

The incident happened June 23and was discovered the next day.

The health centre contacted the student who had received the information in error by email, asking that the spreadsheet be deleted.

By July 9, when there had been no response from the student, the email was deleted.

That's 15 days after mistake was discovered.

Perry's letter to inform her of the compromised dataarrived on July 13, three weeks after it happened.

Perry feels the school and the health centre are downplaying the incident.

"This entire process is problematic. The delayed timeline with contacting the IT department to get the email deleted really concerns me," Perry said.

"So my questions are,what's stopping this from happening again, and what are the protocols and due processes in place, if there are any? Are staff members being trained in how to properly handle this type of confidential information?"

A traumatic experience

The school says it is taking action.

"Maintaining the privacy of confidential information is of the utmost importance to the staff of the U of L Health Centre, a responsibility they take very seriously," reads a section of the university's statement.

"A mistake was made, and as a result, the health centre's protocols for handling personal information have been thoroughly reviewed and communication policies and privacy protocols have been reinforced with all staff members."

Perry calls the whole experience traumatic, and says more needs to be done.

"The lastthing I would really like to see happen with this is an official review. And I'd like to know: will the results be shared with everyone who is greatly impacted by this?

"Or, are we just supposed to believe this will all happen as it's supposed to, behind closed doors?"

Alberta's Privacy Commissioner confirms the violation was reported to the office in early July.

Perry doesn't just want the commissioner's office to find out what went wrong. She wants the incident to spark policy changes to ensure this doesn't happen again.

She doesn't believe the student who received the information in error has any intention to use her databut worries nonetheless and says it is now up to her to monitor her credit for untoward activity at her own expense.

"The onus is on me every day now to make sure that my information is not being used improperly,"Perry said.