Stolen laptop had health data for 80% of N.W.T. residents

A laptopstolen from a locked vehicle in Ottawa contained health-care information about more than 33,000 N.W.T. residents, according to the territory's health department.

The laptop held data on patients and their health histories. It was stolen on May 9, but officials did not disclose the breach until Thursday; providing details in both a statement and teleconference.

A total of 33,661 residents may have been affected by the breach, which included more than 45,000 entries of personal information, according to the Department of Health and Social Services.The N.W.T. has a population of about 41,800, according to 2016 census data.

• New details onInuvikhospital data breach revealed in Privacy Commissioner's annual report

The data included names of patients, their birth dates, homecommunitiesand health-care numbers. Some patients'data may have also included their history of infectious disease, health conditions, immunization status and lab test results.

The data wasn't encrypted but officials said the computer had a strong login password and there isn't anything to suggest someone outside the government has accessed the data.

• Patient records breached 8 times in 2015-2016, confirms N.W.T. health dept.

Bruce Cooper, the department's deputy minister, said the government is reviewing its policy toward protecting patient data.

"Any time you have a critical incident occur, you have to stop, take stock and assess: Are there things that we could and should be doing differently?" he told reporters, adding that the government will examine whether it makes sense to store data in a secure cloud-based system, as opposed to individual laptops.

The information was gathered legally under the Public Health Act and was to be used for statistical analysis on the health of people living in the territory, according to the news release.The employee responsible for the laptop took it to Ottawa for meetings.

Announcement delayed

Though it's been nearly two months since the theft, the government said disclosing it was delayed in part by an investigation by the territory's health privacy officer.

Damien Healy, a spokesperson for the health department, said in an email Thursday afternoon that the preliminary investigation concluded that "the device was in a secure compartment in a locked vehicle;it was protected by a strong password and the employee believed with reason the device was encrypted.

"The investigation concluded the custodian had met the expectation regarding protection of this device," Healy wrote."Important to note that this was the result of a theft and not as a result of an act of commission or omission."

Healy later toldCBC News the employee still works for the territory.

History of breaches

The Northwest Territorieshealth system has a history of patient privacy breaches.

Between April 2016 and March 2017, Elaine Keenan-Bengts, the territory's information and privacy commissioner, investigated eight files under the Health Information Act, including three breaches of patient data.

In her latest annual report, Keenan-Bengtsnoted health information custodians were "far from compliant" with the act.

• Privacy breach at Hay River clinic prompts discovery of 41 'irregularities' with patient files

One of those cases involved dozens of patients in Inuvik whose health records were compromised.

In 2014, a doctor at Stanton Hospital in Yellowknife lost a USB drive containing names, health-care numbers and personal medical information for more than 4,000 patients. That same year, the department mailed 195 health-care cards to the wrong addressesdue to a spreadsheet error.

Encryption failed or missed

All devices supported by the territorial government's Technology Services Centre are supposed to be encrypted, the news release states. But the stolenlaptop was a new device; the encryption process either failed or was missed.

All of the other laptops and tablets have been checked and technical support staff are following up with any laptops that aren't connected to the system, the release said.

Cooper said that, in the aftermath of the theft, he emailed the department's entire staff and directedindividual health authorities to review that all devices are encrypted.