December 23rd, 2024

U of L data breach needs to be treated as a serious incident


By Letter to the Editor on July 25, 2020.

This letter is to inform the public of a breach of confidential health data by the University of Lethbridge Health Centre.

On July 13 I was sent an email that informed me that my confidential personal data including my full name, birth date and Personal Health Number was put into an unencrypted and unprotected Excel spreadsheet and mistakenly sent to a University of Lethbridge student via email. This incident happened on June 23 and I was not informed until July 13. The Health Centre staff confirmed that the email had been opened and read by the student, but could not confirm whether or not the student saved the confidential information.

There are many things about this data breach that alarm me:

– Why did the Health Centre wait three weeks to inform me of this data breach?

– Why did the Health Centre wait until July 8 (nearly two weeks after the mistake occurred) to delete the email from the student’s account? Why not immediately?

These are the facts as I have received them:

– I am not the only patient of this clinic to be affected from this situation.

– There is absolutely no assurance that this student did not write down, save, or use my information.

– As the student has not responded to any attempts to be contacted by the Health Centre, Health Centre employees cannot confirm that my data and identity is protected.

Since I was informed that my identity was possibly threatened, I’ve tried to protect myself without knowing when, how or if this threat will present itself. I have great sympathy for others in this situation as I’ve spent a large amount of time monitoring my health accounts as well as my credit card statements. I fear that someone now has been given all the information they need to apply for credit cards in my name which has the potential to ruin the credit score I have worked so very hard to achieve. The fear, trauma and violation I feel from this incident will have to be something I have to mitigate for years to come.

Having worked with confidential information for the duration of my entire career it is unthinkable to me that this breach happened in the first place. This incident should have never have been possible if proper procedures, training, and process were followed. We as employees who work with confidential data are entrusted to protect people’s private data. The Health Centre, through their mistake, has created an unsafe environment for me. I have felt violated and threatened because of this error in judgment and non-compliance.

The University of Lethbridge Health Centre has attempted to minimize the severity and damage of the incident. These attempts to minimize are further shown by the University of Lethbridge’s misinformation in a statement to the press (Global News), where they asserted that the student had not opened the accidental email whereas in the email sent to me and others informing us of this data breach, they stated that the student had.

I truly hope that the University of Lethbridge Health Centre, staff and doctors, treat this incident seriously; not only with words and statements but with actions. The possible consequences from this error in judgment are severe and traumatic. As someone who also deals with confidential data, I want to know what their protocol is and how they will review it. I hope they have the courage and decency to show the public that they are worthy of handling students’, staff’s and faculty’s private and confidential data once more.

Elsa Perry

Calgary

Share this story:

17
-16
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
HaroldP

The person who is responsible for the “Privacy and Information” at the University of Lethbridge is Scott Harling. He is also the University of Lethbridge’s personal in house legal council. His direct telephone number is: 403-332-4620. I found him extremely difficult and non-committal to deal with regarding a recent privacy concern that was submitted to him for response.