Accessibility/Mobile Features
Skip Navigation
Skip to Content
Editorial News
Classified Sites

The Canadian Press - ONLINE EDITION

Privacy office finds Medicentres failed to protect patient data on stolen laptop

EDMONTON - Alberta's privacy commissioner says a chain of medical clinics failed to protect patients' health information on a laptop that was stolen — and took too long to publicly report the theft.

The commissioner's office released its report Friday into the breach, along with several recommendations for Medicentres Inc., including one that the company update its notification policy.

An information technology consultant who had taken his laptop from work lost it at a public venue on Sept. 26, 2013. Nine days later, when the laptop couldn't be found, the company reported the theft to police and the privacy office.

The company didn't tell the government or the patients and their doctors until January.

The laptop contained key information from about 621,000 patients, who had been seen by doctors at the company's Alberta clinics dating back to May 2011. The computer was password-protected but not encrypted.

Encryption is a "no-brainer" that the privacy office has been recommending to health providers for years, said Brian Hamilton, the office's director of compliance and special investigations.

In addition, he said, Medicentres failed to properly inform the consultant of its security policies and didn't conduct regular checks on his work.

"This really speaks to governance and delegation of authority and being aware of what your service providers are doing," Hamilton said.

The report further criticized the four months Medicentres took to inform the patients and their doctors.

Disclosure wasn't mandatory by law at the time. But the privacy office had guidelines stating anyone involved in a breach should "immediately" respond and notify affected individuals. The report said staff repeatedly told Medicentres that it should notify people, but the company "spent considerable time considering and rejecting various methods of notification."

Hamilton said Medicentres technically adopted the privacy office's guideline, but without a time factor, and should revise its approach to "make sure its responses are more timely."

Health Minister Fred Horne said he was outraged by the delay when he learned about it. He was also angry that the privacy commissioner wasn't required to inform him about the breach.

Since then, changes have been made to the province's Health Information Act that require mandatory notification of people affected by privacy breaches. Violations carry a minimum $2,000 fine for an individual and $200,000 for a corporation.

Horne said details, such as how many days should be allowed for notification, are still being discussed but should be finalized in the fall.

"This should never happen again," he said Friday.

Dr. Arif Bhimji, chief medical officer for Medicentres, said the company needed time to pull together a team to respond to the phone calls it would receive from people about the laptop breach.

Four months was "not unreasonable," he said.

"I think moving forward we would try to do things sooner, but I'm assuming that we will never have this situation again."

Many of the report's recommendations have already been made and others are being "worked on," Bhimji said.

Medicentres has also stopped hiring consultants, he added, and will only do so again if they work strictly out of company offices with company equipment.

Medicentres was recently in court asking for a stay on the release of the privacy commissioner's report and a publication ban on its contents. The judge dismissed the application.

Bhimji said the company wanted more time to respond to a draft version.

Court of Queen's Bench Justice Robert Graesser wrote in his decision that the company's main concern seemed to be "the potential impact the final report may have on the intended class proceedings it faces."

A multimillion-dollar, class-action lawsuit against Medicentres was filed in June on behalf of patients who had their personal data stored on the laptop.

Medicentres and the privacy office agree that, so far, none of the patients has fallen victim to an identity crime.

  • Rate this Rate This Star Icon
  • This article has not yet been rated.
  • We want you to tell us what you think of our articles. If the story moves you, compels you to act or tells you something you didn’t know, mark it high. If you thought it was well written, do the same. If it doesn’t meet your standards, mark it accordingly.

    You can also register and/or login to the site and join the conversation by leaving a comment.

    Rate it yourself by rolling over the stars and clicking when you reach your desired rating. We want you to tell us what you think of our articles. If the story moves you, compels you to act or tells you something you didn’t know, mark it high.

Sort by: Newest to Oldest | Oldest to Newest | Most Popular 0 Commentscomment icon

You can comment on most stories on You can also agree or disagree with other comments. All you need to do is register and/or login and you can join the conversation and give your feedback.

There are no comments at the moment. Be the first to post a comment below.

Post Your Commentcomment icon

  • You have characters left

The Brandon Sun does not necessarily endorse any of the views posted. Comments are moderated before publication. By submitting your comment, you agree to our Terms and Conditions. New to commenting? Check out our Frequently Asked Questions.


Make text: Larger | Smaller

Brandon Sun Business Directory
The First World War at 100

Social Media