WINNIPEG - Manitoba’s Ombudsman says the scope of the privacy breach has never before been seen in the province, as the independent office for investigation releases its report on the accidental exposure of the health information of nearly 9,000 children.
The report details an email sent by a staff member at Children's DisABILITY Services in August of last year. It contained the names, birthdates, addresses, and medical information of 8,900 clients, and was intended to be viewed by staff at the Manitoba Advocate of Children and Youth. The Ombudsman says, in addition to the intended recipient, more than 100 email addresses for other agencies ended up being added to a blind carbon copy field before the email was sent.
The error was reported to the Ombudsman as part of standard practice, and the ensuing investigation found the breach happened as a result of unintentional human error, and points out that “the unintended recipients acted quickly” to delete the message.
The Ombudsman also notes that while the department took appropriate measures in responding to the breach, it hadn’t fully implemented privacy and confidentiality policies and procedures, as required by the Personal Health Information Act.
Investigators say, considering the volume of personal information handled by different programs across the province, a stronger commitment to privacy protection needs to be demonstrated. The report lays out detailed guidance for agencies to increase PHIA compliance and strengthen their privacy protection practices.
The Ombudsman says the department has accepted all nine of the report’s recommendations. Apologizing to the families that were impacted by this privacy breach, Manitoba Families Minister Rochelle Squires says the department has already implemented most of them, and the only task remaining is the installation of new software as a preventative safeguard.