Losing a laptop with 600,000 patient records is a policy issue

A macro approach to achieving national data security

The news of a major privacy breach in Alberta has made headlines recently. While media attention has focused on exploring how a laptop containing over 600, 000 health records was stolen, the bigger question is, how will public policy need to change to ensure that data security remains a priority after the latest controversy fades?

It is no wonder that laptops are one the most vulnerable assets in an organization’s infrastructure.  As these small, nimble processors gain speed and agility they are becoming more and more important in day-to-day operations.  For a number of years, laptops and handheld computers have been very appealing items for theft. These were once sold to pawnshops or on eBay. Recently, however, it is no longer the devices that are of most value, but the information that they contain. Legions of credit and identity fraud artists are paying almost $50 for each record of personal information (names, addresses, identification numbers, credit card numbers, etc.), and sometimes more, depending on how complete and recent the information is.

In Canada, the government provides extensive protection to profit-making or vulnerable assets such as oil fields, power plants, and banks. Today, big data assets, namely public records, are even more valuable and vulnerable, but are not protected or regulated in the same way. I will argue that for big data to be protected adequately, governments need to consider it a national asset and to afford it the same degree of regulation and security as other national assets.

In Alberta, the news has just come out that over 600, 000 unencrypted health records (with names, health card numbers, and diagnoses) were on a laptop stolen from a healthcare IT consultant. As appalling as this incident is, it does not necessarily reflect a failure on the part of Alberta’s privacy commissioner, laws, policies, or IT systems; these are working as they should. It is not any of these individual factors, but the gaps between these instruments – laws and regulations, operating procedures, and technologies – that are to blame.The only way to prevent similar incidents is to take a look at gaps, formulate lessons learned and propose a strategy to solve the issue and take the lead on privacy nationally.

Open data is becoming more and more important as health systems and other government organizations transfer citizens’ personal information to online systems. As this occurs, data is aggregated to create databases accessible to administrators, researchers, and clinicians regardless of their location. The key question is at what level to aggregate information. The recent incident goes to show that aggregating data such as electronic health records at the regional level has not justified its benefits, especially when there is a risk that data can be stolen and used by organized crime. I would argue that no laptop in a centralized government department should contain 600,000 records. A central data warehouse may contain that many records, but the information would be encrypted or de-identified. Problems have not usually come from data centres, but from smaller, more peripheral organizations with fewer resources for implementing adequate privacy and security measures. There is no reason for these organizations to have massive amounts of aggregated, identifiable data.

Following the hospital incident, a press release indicated that patients should check their banking transactions. Is this the only issue threatening citizens? How about the risk of embarrassment, or even losing a job due to compromising health information? This stolen database can and will likely end up with a private investigator company that will offer the data for cash on the internet. At this point, patients have no recourse to protect their information or seek compensation – they will not even be notified as to whether their records were among those stolen. Citizens are well justified in being outraged.

What to do then? It will take a centralized initiative or task force by the provincial governments to solve the underlying issue: big data simply is not being protected as a valuable and vulnerable asset. I propose the following actions:

  • Data should be instituted as a national asset. This means that big data in its own right – not as health information or financial information, but simply as aggregated personal information – should be regulated either by a self-enforced code of conduct or a legally enforced code that has teeth. This approach would ensure that data custodians invest in adequate data protection tools and follow defensible practices and rules.
  • The private sector and non-governmental organizations which use large volumes of personal information for research should implement de-identification – that is, personal identifiers should be removed from the data as soon as possible.  This includes data used for marketing research – companies should be analyzing consumer trends using aggregated, de-identified data, not examining the behaviour patterns of identifiable customers.
  • All major organizations that handle personal data should be required to self-audit their data management practices as a part of their security and privacy assessments.

At this point, preventing privacy breaches is not so much a question of law or technology as a question of public policy. The government, private, and not-for-profit sectors are legally responsible for protecting our most valuable asset – our personal information. Only when we recognize its value will we begin to invest in protecting it adequately.