Two laptops containing health information of more than 300,000 patients were stolen from the Canadian Alberta Health Services (AHS) in June. It was recently revealed that the data on the portable devices were not encrypted.
Alberta's Information and Privacy Commissioner Frank Work said he was "perplexed" with news that the two stolen laptops were not encrypted.
"This is shocking for me...I don't know what we have to do to drive this message home," Work said. "The standard in Alberta for storing personal or health information on portable devices is encryption. I can't accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can't provide security for personal information?"
Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases, according to the Office of the Information and Privacy Commissioner of Alberta.
Work said AHS did have layers of protection on those laptops, but the final layer was not there, and while the risk might be low, there is still a risk.
"A person with motivation and sufficient skills could still access the information," he added. "Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough."
The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work said that he and his office will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again.