Dear Colleagues,
On the weekend of May 8-9 a new laptop that was thought to be encrypted had been stolen from a nurse's car. We subsequently discovered that the laptop encryption had failed when the laptop was provided to the nurse on May 5.
On Monday, May 17, 2010, Ontario's Information and Privacy Commissioner (IPC) was notified and we are cooperating with the IPC to fully review this incident.
Investigations by UHN's Privacy Office and SIMS have discovered that the laptop contained select personal health information (PHI) on approximately 20,000 surgical patients (names, date and type of surgery, and with a limited number of patients, their phone numbers) from 2004-2010. No addresses or OHIP numbers were saved to the laptop. And although we also found that the encryption process failed on the laptop, we estimate that there is a very low risk of identity theft or fraud because no OHIIP numbers or full contact information was saved on the computer. So far, the laptop has not been found by the police or posted on common online sales sites.
There are no actions that need to be taken by patients as a result of this theft. However, patients can call a UHN information line 416 – 340 - 4674 if they have further questions. We will also be notifying by letter those patients who had their phone numbers on the laptop as part of their health information.
Consistent with IPC recommendations, steps are being taken to make sure that encryption is successfully installed, activated and checked before a new computer is given to a user and that any errors with encryption installation/activation are monitored more closely. Staff training on security safeguards for electronic devices will intensify, and we will continue to deploy software for UHN personnel to encrypt their USB keys.
We are all responsible for ensuring that computers and laptops with patient information are protected from theft or fraud.
- If you have any patient information on your computer, please ensure that it is moved to the UHN network, a secure system within the hospital.
- Copy patients' personal health information to any devices only if absolutely necessary to support your work and if there are no alternatives to access the information another way.
- Check with SIMS that the encryption on any new UHN portable device given to you was successfully activated and completed before you accept the new device.
- If you have a laptop that sits on a docking station, it's your responsibility to get a laptop lock cable cord by completing a Computer HardwareRequest form on the intranet.
- If your device does get stolen or patient information is compromised, please report it immediately to the Privacy Office by calling 14-6937 or filling out an e-form.
If you have any further questions, please don't hesitate in contacting the Privacy Office via e-mail at privacy@uhn.on.ca. Thanks everyone for making every effort to ensure privacy and security of personal health information at UHN.
Bob
