Top News

VIBERT: Privacy breach an epic government failure

Jim Vibert
Jim Vibert - SaltWire Network

It is impossible to overstate the epic failure of Nova Scotia’s Health Department, uncovered and enumerated by Privacy Commissioner Catherine Tully last week in a pair of damning reports.

The Health Department failed at virtually every turn to protect the privacy of 46 Nova Scotians whose medical records were pilfered for purely personal motives by a former Sobeys pharmacist. The department then compounded that failure with callous disregard for the victims’ rights to timely and complete notification on the extent of the intrusion into their personal medical histories.

The failures of the department mount like bricks in a wall as Tully painstakingly leads the reader through what would be a comedy of errors were not the implications so devastating for those whose privacy has been violated.

“It is virtually impossible to undo the harm and sense of violation individuals feel when the intimate details of their personal health information are breached. I find that the harm from these breaches is significant,” Tully concluded.

The department will respond to the commissioner’s findings sometime this month. It has a couple of bad choices. It could try to take issue with her report, but she’s built an air-tight case, so that’s a losing proposition.

More likely Nova Scotians will hear mea culpa and a promise to do better. Before the department spends too much time writing that, it should check its files. There’s a thick one around there somewhere containing all the previous apologies the department, or its subsidiaries, have issued for lax protection of Nova Scotians’ health records.

Those prior statements end with someone solemnly reminding Nova Scotians how seriously the government takes its responsibility to protect their privacy, and an aside about just how rare such security lapses are. They don’t seem rare when it’s your records someone is combing through.

There was nothing remotely serious or even competent about the way the department handled this breach. It didn’t seriously pursue a tip that came in on its 1-800 Health Privacy tip line, suggesting maybe Nova Scotian taxpayers ought to be spared the expense of that lip service.

It deferred to Sobeys in the initial investigation, and it even failed to identify all those whose records had been inappropriately accessed. The department identified 39 of the victims. The commissioner discovered seven more.

Those few Nova Scotians who take the time to read her reports – one on the department’s lack of performance, the other on Sobeys – will be appalled in turns by the department’s failure to meet its basic responsibility to get to the truth, and then by its arrogance in claiming righteous success even as it wallowed in abysmal failure. (More on the notices to victims later this week.)

It is worthwhile to compare the government’s flaccid response to a serious privacy breach that exposed the medical histories of Nova Scotians, with its guns-blazing, over-reaction when a weakness in its own system was innocently exploited to access files on the Freedom of Information, Protection of Privacy website.

In the latter case, the cops were called, a law-abiding Nova Scotian family got the SWAT treatment, the premier howled in the legislature like McGruff the Crime Dog, and then the government beat a hasty retreat, because there was no crime. There was only an information breach in a strict, technical sense.

By contrast, when the medical records of a significant number of Nova Scotians were improperly accessed, the Health Department told the privacy commissioner the breaches had been contained, when they hadn’t, and that there was no evidence of malicious intent, when there was a mountain of it.

The former Sobeys pharmacist went to considerable lengths to improperly access the medical records of people she knew – like the other driver involved in her car accident, and a person romantically linked to a family member – none of whom were customers of her pharmacy.

Tully’s investigation found there was nothing about this case to suggest “innocent mistakes” so the department’s conclusion that there was no “malicious intent” wasn’t based on any investigation or evidence. The department didn’t do the work required to come to those, or any conclusions.

And that is what it will need to explain when it responds later this month. If Nova Scotians are expected to have confidence that the Health Department can protect their medical information, we need to hear what’s going to change to make it different next time.

Jim Vibert, a journalist and writer for longer than he cares to admit, consulted or worked for five Nova Scotia governments. He now keeps a close and critical eye on provincial and regional powers.

Recent Stories