N.W.T.'s COVID-19 secretariat apologizes after self-isolating travellers' info breached

A number of travellers recently self-isolating in Yellowknife had their email addresses revealed in an "unauthorized disclosure of personal information," according to a letter sent by the territory's Health department.

According to the letter, on April 19, at 9:44 p.m., an employee working for the territory's COVID-19 Coordinating Secretariat sent out an email to travellers self-isolating in Yellowknife, as well as those self-isolating between March 31 and April 17.

The purpose of the email was to inform the recipients of COVID-19 traces detected in Yellowknife's wastewater, and to recommend those isolating between those dates to get tested for COVID-19. MLA Steve Norn, who publicly outed himself as testing positive, mentioned in a statement that public health advisories for people isolating during those dates led to himself seeking a test.

However, when the email was sent, the distribution list was made visible to all recipients in error, according to the letter, leading to the email addresses, and in some cases, names, of everyone self isolating during that time period being made visible.

In the letter to those who had their privacy breached sent on April 22, Michele Herriot, the chief information officer for the Health department, says that the initial investigation of the incident "has determined that the cause of the incident was human error," and that the employee responsible recognized the mistake immediately, but was unable to successfully recall the email.

"The [COVID secretariat] will be reviewing current practices to identify ways to further mitigate privacy breaches like this one," the email says, adding that they believe there is "no evidence" to indicate the information has been further disclosed, or there is potential for it to happen again.

Email sent to 1,211 unique addresses

The email was sent to 1,211 unique email addresses, aspokesperson for the coordinating secretariat told CBCNews.

Dawn Ostrem said the secretariat has "administrative processes" that are meant to prevent privacy breaches like this one, including the "careful review of email recipients prior to sending and use of discrete email lists."

She said the secretariat is updating its procedures to require that mass emails be reviewed by the director, a supervisor or a manager before they are sent out.

All the people whose emails appeared on the distribution list were notified of the breach, said Ostrem, as was the N.W.T. information and privacy commissioner.

The territory's Health department has had a long list of privacy breachesover the past decade, including an incident where patient records were found at a government dump and another in which a laptop was stolen containing health information of the majority of N.W.T. residents.

In the letter, Herriot extends "sincere apologies" on behalf of the secretariat and the Health department for the breach.