COVID-19 Info | Information sur la COVID-19 | COVID-19 Vaccine Vaccine Receipt | COVID-19 Self-Assessment
🔍 Search
  • Follow us:
Sign In FR

Middlesex-London Health Unit

Sub Navigation
🔍Search
🔍
Home
Inner Nav

MLHU Public Statement re: Privacy Investigation

Posted by on

The Middlesex-London Health Unit (MLHU) has concluded its investigation into whether Personal Information (PI) or Personal Health Information (PHI) was disclosed when electronic devices and paper documents were inadvertently left at the Health Unit’s former office location at 50 King Street in March of 2020.

The matter was first brought to the attention of the Health Unit on April 23rd, 2020, when employees of Middlesex County, the owners of the building at 50 King Street, notified Health Unit administration that electronic devices had been found in the building’s lower level vault. The Information and Privacy Commissioner of Ontario (IPC) was notified and the MLHU has worked closely with the IPC to ensure all appropriate steps have been taken in response to the reported privacy breach.

Due to the actions that were taken to contain the breach, the Health Unit is confident that it has responded properly to the potential unauthorized use or disclosure of PI or PHI contained on the devices or among the paper documents, which were the subject of investigation.

In the course of its investigation, the Health Unit reviewed the paper documents and conducted a thorough examination of electronic devices to determine whether any personally-identifiable data was present. Only on computer hard drives and among certain files were potential disclosure issues identified, as follows.

FINDINGS

Hard Drives:

Of the 80 hard drives, the investigation revealed that:

  • 72 had been wiped and contained no user data;
  • Two were encrypted and no user data was accessible;
  • Two were corrupt and were not readable;
  • Two contained user data, but no PI or PHI
  • Two contained PI/PHI

The PI and PHI contained on one of the drives included 35 referrals, and caseload information for 530 clients of the infant hearing and blind-low vision programs while the information on the other hard drive included the names and contact information of 150 MLHU volunteers.

Based upon its investigation, the Health Unit is satisfied that there was no viewing by County staff or other persons of information on the drives that is protected under the Personal Health Information Protection Act or the Municipal Freedom of Information and Protection of Privacy Act, and that actions taken to contain the breach prevented the unauthorized use.

Paper Documents:

Most of the documents left at 50 King Street were non-confidential in nature, including retired stationery, brochures and other program materials, however there were documents which contained the PHI of some Health Unit clients. This information included:

  • Client lists related to a food poisoning investigation, with information for 270 individuals associated with the investigation;
  • A fax request for medical records;
  • A fax immunization report for a school aged child.

Middlesex County administration has confirmed that none of the records listed above were reviewed by County staff, and that the said documents were held in a secure area until they were retrieved by Health Unit staff. The Health Unit is satisfied, therefore, that there was no viewing of PHI in the recovered documents.

CONCLUSIONS/NEXT STEPS

The equipment and documents that were the focus of the Health Unit’s internal investigation were inadvertently left on the premises of 50 King Street as the agency was completing the move to its new office location. While there had been a thorough plan in place to complete the final phase of the move, staff redeployments to address the emerging challenges of the COVID-19 Pandemic led to the oversight that resulted in these resources being left behind.

The MLHU is developing more comprehensive documentation for information technology standards and procedures. The absence of a documented lifecycle digital media handling procedure contributed to devices not being properly disposed of at the end-of-life cycle and/or being moved to the vault prior to being wiped completely. Instances of non-compliance with components of the Health Unit’s information security policy were also noted, including the storage of some PI/PHI on hard drives rather than on the network. It was also noted that some hard copy documents were not disposed of in a secure manner.

A new annual privacy education program was already in the process of being implemented in February 2020 to increase staff awareness of, and compliance with, policy requirements, and has now been completed by all MLHU staff.

FURTHER INFORMATION

The Health Unit’s investigation of these matters is now complete. The Health Unit is in the process of implementing new policies and procedures to ensure that electronic devices that are obsolete or have reached their end-of-life are not only disposed of securely and properly, but also that the data they contain is erased and destroyed.

Anyone who would like more information about this investigation or its findings may contact the Middlesex-London Health Unit’s Privacy Officer, Nicole Gauthier, at nicole.gauthier@mlhu.on.ca or 519-663-5317 or the IPC at 1-800-387-0073.

Tags: Privacy Investigation