Pap smears, STIs and flu: What the N.W.T. gov't didn't tell you about a stolen laptop

This story is Part 1 of 3 on the stolen laptop files.

The number of people whose personal health information was put at risk after a laptop was stolen last year is much higher thanthe N.W.T. government initially reported, and the data breach affects people from every province and territory in Canada, according to internaldocuments obtained by CBC News.

Last May, a laptopbelongingto an employee with the territory's Department of Health and Social Services was stolen from a locked vehicle during a business trip in Ottawa.The laptopused to do statistical analysiswas unencrypted but had a strong password, the Health Department said in announcing the breach last summer.

It contained health data for a majority of N.W.T. residents.

The N.W.T. government, which has a long history of health data breaches, has been silent about the stolen laptop since the public announcement in late June more than six weeks after the theft.Oneother health data breach has happened since.

A health department spokesperson declined CBC's request for an interview.

The department launched an internal investigation after the laptop theft, which is also being reviewedby the territory's privacy commissioner.The N.W.T. privacy commissioner told CBC she recently received the department's reportand aims to complete her own investigation by May.

But documentsreveal key updates and unreported details about the privacy breach.

I cannot with absolute certainty rule in or out the complete list of files absolutely on or not on the [laptop] at the time of the theft.- Health department employee who lost the laptop

The information is contained in more than 350 pages of internal government emails and documentsobtained by CBCthrough the Access to Information and Privacy Act.

They date from May 9the day of the theftto July 17, 2018, and suggest the laptop contained health data from as far back as 2009.

"We have no way to isolate what data was lost [or was] vulnerable to the breach or who were the subjects of the data," the chief health privacy officer said in an email on June 19.

The department later relied on the employee's memory of all potential datasetsthat may be on the laptop, to do their analysis.

Here's what the documents further reveal:

50% of residents at risk of identity theft

Less than a week after alerting the publicin late June, the Health Department found that 39,145 N.W.T. residents could be affected by the breachup from the 33,661 figure that waspubliclyreported. Counting non-residents and unidentified individuals, the total number of people potentially affected exceeds40,000.

The N.W.T. has a population of about 41,800 people,according to 2016 census data.

The increase was due to finding information that was previously missed, the department said in the documents.

The department also saidthat upon further analysis, the risk of identity theft "significantly decreased."

About 47 per cent of N.W.T. residents whose information was containedin the datasetsare at "no risk" of identity theft, according to the documents, as they were just identified byhealth-card numbers.

But the remaining 53 per centcould be at risk because their names, dates of birthand/or health-card numbers were stored on the laptop.

PAP smears, TB, and colon infections

The documents also reveal that information about specific diseases, tests and vaccinations was potentially stored on the laptop.More than 50per cent of all the records for N.W.T residents were in a tuberculosis surveillance dataset. With duplicates removed, the second highest number of records were for flu vaccinations.

Thousands of other records were related to HPV vaccinations, C. difficile (colon infections), pap smears, whooping cough, blood tests for tuberculosis, sexually transmitted infectionsand antibiotic-resistant diseases, among others.

Other information potentially on the laptop included: ethnicity, X-ray results, history of sexual partners,dates of death and "risk status."

The internal documents say the tuberculosis blood test data was definitely on the laptop,while other data are categorized as "very likely" or "likely" to be on the laptop.

Data sourcewith 100% of residents' info

In their initial report to the department, the employee who lost the laptop listed the names of thesources, or information systems,used to extract datasets that "may have still been stored" on the laptop.

Among the systems listed is the Health Management Information System (HMIS), "which includes demographic information on 100 per cent of N.W.T. residents," according to the documents.The documents note that HMIS is regularly updated and is "the most up-to-date source" for residents' names, dates of birth, communities of residence, sex, health-card numbers and "other important indicators."

It's unclear whether HMIS was on the laptop,as the employee suggested they "rarely" worked with the system.

At the end of their report, the employee reiterated: "I cannot with absolute certainty rule in or out the complete list of files absolutely on or not on the [laptop] at the time of the theft."

• Read Part 2 | N.W.T. employee dug through planters, trash to find stolen laptop, weeks after privacy training
• Read Part 3 |Stolen N.W.T. laptop was among dozens that were unencrypted, and handed out to unsuspecting staff

Info on Canadians from coast to coast

Information on at least 257 people from every other province and territory was also stored in datasets on the laptop, according to the documents. Most of the non-N.W.T. residents potentially affected by the breach 71 people came from Alberta. The fewest,two, came from P.E.I.

These people could have beenvisitors to the N.W.T., short-term workersor residents who recently moved, according to the Health Department.

Here's the full breakdown by jurisdiction:

• 71 from Alberta.
• 46 from B.C.
• 46 from Ontario.
• 23 from Nova Scotia.
• 18 from Saskatchewan.
• 16 from Newfoundland and Labrador.
• 9 from Manitoba.
• 9 from Nunavut.
• 7 from New Brunswick.
• 5 from Quebec.
• 5 from Yukon.
• 2 from P.E.I.

The documents also note there are 634 records with errors or that are missing identifiers.

Police didn't investigate, case is closed

Ottawa police did notformally investigate the theft, according to internal emails, asthere was no video footage available from the area where the car was parked.

"Apparently the City of Ottawa police department receives in excess of 100 theft reports weekly in the ByWard Market region," the employee saidin oneemail.

They say a constable told them the laptop was "likely sold for a small sum" and was "likely wiped clean."

"No investigation was assigned," states an internal email. "With no leads, the case has been closed."

Part 2 of this serieslooks at details on the night the laptop was stolen, and whether the health department has adequate security training. The third storylooks at why an unencrypted laptop was being used by health department staff.

Do you have any stories or tips about health information breaches in the N.W.T.? Contact priscilla.hwang@cbc.ca

• MORE NORTH INVESTIGATIONS|11 Nunavut nurses made more than $100K each in overtime alone in 2016-17
• MORE NORTH INVESTIGATIONS |Complaints about illegal tour operators, rule breaking rampant in N.W.T.