March 8, 2007
Hospitals across the province are now expected to follow new data
security rules following the theft of a laptop computer holding personal
information on thousands of patients at Toronto's Hospital for Sick
Children, says a report by Ontario's privacy commissioner.
Ann Cavoukian's report was released on Thursday, more than two months
after the laptop was stolen from the minivan of a doctor. He had left
the hospital on Jan. 4 with the computer to work on a research project
at home that evening.
Data stored on the laptop included information on 2,900 patients, such
as their names, patient numbers and medical conditions.
Hospital spokeswoman Helen Simeon admits the laptop contained sensitive
material and even included the HIV status of some patients.
"In my view, there is no excuse. This should never happen again," Simeon
told CBC News on Thursday. Hospitals in question contacted
All hospital patients affected by the security breach have been
About one-third of them have died, but Cavoukian said the privacy of
their medical information is still important because of links to their
Cavoukian ordered the hospital to implement a ban on the removal of
personal health data in electronic form from hospital premises. In cases
where such information must be removed, it must first be encrypted.
In fact, all Ontario hospitals will be expected to follow the new rule,
"That is now the standard in Ontario. You must encrypt personally
identifiable data that you remove from the office on a remote device."
The only security measure on the stolen laptop was an eight-character
alpha-numeric password. Cavoukian's report says password protection is
no longer enough.
"There is no excuse for unauthorized access to personal health
information due to the loss of a mobile computing device," it says.
Cavoukian notes that when it is necessary to upload patient data onto
mobile electronic devices, it can also be encoded and include only
information essential to the research.
Visit the InfoSec News Security Bookstore