5 takeaways from the N.W.T. stolen laptop health data breach documents

This January, CBC News began looking into hundreds of pages of internal N.W.T. government documents and emails about a stolen laptop incident last year which put at risk health data on nearly the entire territory's population.

Last May, the unencrypted laptop belonging to an employee with the Department of Health and Social Services was stolen from a locked vehicle in Ottawa.

• PART 1 |Pap smears, STIs and flu: What the N.W.T. gov't didn't tell you about a stolen laptop
• PART 2 |N.W.T. employee dug through planters, trash to find stolen laptop, weeks after privacy training
• PART 3 |Stolen N.W.T. laptop among dozens that were unencrypted, and handed out to unsuspecting staff

The laptop, which was used for statistical analysis, has not been found.

CBCNews filed an Access to Information request with the Health Department about the incident, which produced more than 350 pages of documents.

Here are some takeaways:

1. The scope was much larger

The number of people potentially affected is closer to 40,000, documents reveal. That's compared to the 33,661 people the government initially quoted last summer in a public announcement.

And health information on people from every province and territory in Canada may have been stored in the stolen laptop, according to the documents.

Thousands of recordswere related to HPV vaccinations, C. difficile (colon infections), pap smears, whooping cough, blood tests for tuberculosis, sexually transmitted infectionsand antibiotic-resistant diseases, among others.

One data source that has 100 per cent of N.W.T. residents' demographic information may also have been on the laptop.

That system is regularly updated and is "the most up-to-date source" for residents' names, dates of birth, communities of residence, sex, health-card numbers and "other important indicators," documents reveal.

2. Laptop was left in a busy, public areanotorious for thefts

The documents reveal that the laptop was stored inside the health department employee's backpack, and placed behind the centre console of a rented Dodge Grand Caravan.

The minivan was parked in an underground parking garage inByWardMarket in downtown Ottawa, according to documents.

The employee then had a busy night of searching publicdumpsters, planters and even dark alleyways, she says in her initial report to the department.

That area of Ottawa sees a hundred thefts reported weekly, according to police quoted in internal emails.

3. Questionable privacy training at Health Department

Documents suggest the health department employee did not routinely permanently delete sensitive data files off the laptop.

The employee, a manager within the department, also received training on the secure use of portable devices and safeguarding health data just two weeks before the theft.

The documents show training for health department staff seems to be a recent and infrequent practice.

The chief health privacy officer says in an emailthat she "did not believe any privacy training has been provided to date" by the previous officer, before she started her job in 2017.

The Health Department said it's taking steps since the theft to bolster its privacy training by 2020.

4. Encryption was 'very difficult,' so IT staff issued laptop without it

The laptop belonged to a group of about 20 to 40 devices piloted back in 2013. It was a Lenovo Helix tablet and laptop hybrid device, according to documents.

Laurie Gault, the government's director for the Technology Service Centre, told CBCthat IT staff were unfamiliar with encrypting tablets at that time. The centre is responsible for encrypting and issuing government laptops.

Documents also reveal the government's encryption software was incompatible with the Lenovo tablet-laptop hybrid in 2013.

"This particular device was very difficult to encrypt, so it was issued without encryption," says the N.W.T.'s chief health privacy officer in an internal email.

An IT worker who currently works for the government told CBC some IT staff and managers are not qualified to do their jobs.

Gaultsaid she had "high confidence" in her IT staff.

5. The laptop will probably never be found

Ottawa police did notformally investigate the theft, according to internal emails.

Police told CBCthe case was closed asthere were no witnesses orvideo footage available from the area where the car was parked.

Emails say a constable told the department the laptop was "likely sold for a small sum" and was "likely wiped clean."

"No investigation was assigned," states an internal email. "With no leads, the case has been closed."

• MORE NORTH NEWS |Stranded Alaska man jumped from floe to floe while waiting for rescue
• MORE NORTH NEWS |Small mistakes led to big consequences for man in Arctic ultra foot race