Today The Chilliwack Progress reported that a computer disk containing confidential information about Vancouver’s Fraser Health Authority (FHA) employees and their participation in counseling services was stolen in March along with the computer it was in from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.
"Fraser Health Authority (FHA) employees have been warned that some of them who used an ultra-confidential counselling service may have had their privacy breached as a result of a theft of a computer. The computer with a disk inside it went missing in March from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority. The disk contained the names, birth dates, contact information and referral reasons for thousands of Lower Mainland health workers who sought help for intensely personal problems. The service offers help with relationship counselling, drug or alcohol addictions, sexuality questions, abuse, loss and grief, and stress or emotional traumas – among other issues. "People who use the EFAP program are often going through a crisis of some kind," said Hospital Employees’ Union spokesman Mike Old. "The theft of that information is of great concern to the union and its members." Fraser Health Authority spokesman Paul Harris said the authority doesn’t know how many of its employees are affected. "Because it’s a confidential service we have no idea who has used it," he said. Old said the HEU is troubled that health authority employees weren’t notified of the theft until April 6 – 10 days after it happened. The notification from EFAP indicated the data had some degree of encryption and might not be readily viewable. "We have no reason to believe that the individual who stole the equipment is even aware or has any plans to use the information," it says. EFAP says it is reviewing its security measures. B.C.’s Information and Privacy Commissioner is investigating the theft and monitoring the response."
I wonder what "some degree of encryption" means? Since it then goes on to say "and might not be readily viewable" I wonder if this really means the data was scrambled if viewed as a raw data file, but actually viewable through the software it is used with?
It will be interesting to see what actions the British Columbia Information and Privacy Commissioner takes. Would this be a possible violation of PIPEDA?
Technorati Tags
privacy
law
PIPEDA
stolen laptop
health information
breach notification