Alberta health info stolen

The information includes unencrypted names, birthdates, health card numbers, billing codes, billing amounts and diagnostic codes for patients who were seen at Medicare clinics around the province from May 2, 2011, to Sept. 19, 2013.

Horne said the laptop was stolen Sept. 26 and reported by Medicentre days later, on Oct. 1, to Alberta Privacy Commissioner Jill Clayton and the Edmonton police.

Horne, however, said he and his department were not told until Tuesday, when he received a letter from the vice president of Medicentres.

“On behalf of the citizens of this province I’m quite frankly outraged that this would not have been reported to myself or my department sooner,” Horne told a news conference at the legislature.

“I find it incredibly hard to believe that in a province such as Alberta that such an incident could occur.”

Horne said he has asked Clayton to investigate the matter under the Health Information Act to determine what happened and whether any breaches of privacy legislation have occurred.

“I will pursue this matter to the full extent of the law,” he said.

Medicentres operate a chain of primary care clinics.

The company, in a news release, said so far it has no evidence that the information on the stolen laptop has been accessed or misused but urged patients to check bank and credit card statements.

It said it has since updated its security measures and is conducting audits to make them even better.

“We apologize to all patients for any concern this (breach) may cause,” said the statement.

Clayton was unavailable for comment Wednesday.

Brian Hamilton, Clayton’s director of compliance and special investigations, said they have been working with Medicentres since the breach to determine what happened and to check on privacy breaches.

When asked why the privacy commissioner did not inform Horne’s office last fall, Hamilton said Clayton is duty bound and compelled by legislation to restrict the information to those directly involved.

“It wouldn’t be our practice to notify the minister unless the breach involved one of the ministry’s information systems,” said Hamilton.

“The types of things that we would typically do in this kind of investigation (such as) working with the organization to make sure they improve their practices (and) trying to encourage them to notify people about the breach – none of that needed to involve the ministry.”

He stressed that while the privacy office can urge companies to report privacy breaches to those affected, such as the government, it can’t compel them to.

He said Clayton would make a decision as early as Thursday on whether to launch an investigation.

Wildrose party critic Kerry Towle said the issue raises larger concerns about Albertans’ privacy.

“Albertans have a right to expect that their sensitive personal and health care information is kept confidential and that all possible safeguards are in place to protect it,” said Towle in a news release.

“They also have a right to expect immediate notification if their personal information has been compromised in any way.

“The fact that it has taken five months for this to reach the minister’s desk is quite disturbing.”