Office of the Information and Privacy Commissioner
September 4, 2015

Commissioner Satisfied with Steps Taken by Eastern Health in Response to Breach

On June 23, 2015, Eastern Health reported a privacy breach to the Office of the Information and Privacy Commissioner (OIPC) in which a non-encrypted flash drive containing employee names, Social Insurance Numbers and employee numbers had gone missing. Information of 9,000 employees was on the device: 3,300 included the SIN; 5,700 did not have the SIN.

On June 24 the OIPC launched an "own motion" investigation in relation into this breach. Subsequent to this, the OIPC received 35 complaints from individuals whose information was affected by the breach.

On August 6 it was reported that Eastern Health had found the flash drive in a file folder.

Prior to discovering the flash drive, and immediately after it reported the breach, Eastern Health began to identify and implement changes to its policies and procedures and security safeguards in order to prevent such an occurrence in the future. Eastern Health has advised us that it is committed to the following changes:

  1. No longer using Social Insurance Numbers as employee identifiers;
  2. Requiring employees to answer a series of security questions to verify their identity when requesting information;
  3. Requesting the return of all non-encrypted USB drives and the destruction of same;
  4. Upgrading Eastern Health's antivirus platform so that any non-encrypted flash drives which remain in use will automatically be encrypted upon the use of those drives for storage purposes;
  5. Implementing new device controls which will force all other forms of mobile devices through a lock-down or encryption process; and
  6. Creating a new policy regarding the issuance, control and use of mobile devices.

Many of these changes have already been implemented and Eastern Health has committed that the remainder will be implemented by the end of September 2015.

In light of the fact that Eastern Health has initiated these measures, combined with having found the USB device which had originally gone missing, Commissioner Ring has determined that no further review is warranted. This decision is within the Commissioner's authority under section 75 of the ATIPPA in circumstances where the public body has responded adequately to the complaint.

In making this decision, Commissioner Ring issued the following comment:

"During the course of our investigation Eastern Health has demonstrated a strong commitment to privacy protection and ATIPPA compliance and has acknowledged the failings in its systems which allowed this situation to occur. Furthermore, Eastern Health has assured me that it is taking steps to rectify those issues. My Office intends to follow up with Eastern Health to ensure that the announced changes have been implemented in a timely fashion and to the fullest extent possible. In light of the above circumstances and facts, we will be contacting each of the complainants and advising them as to our decision, along with reasons for not issuing a Report, and then closing our files."

- 30 -

Media contact:

Ed Ring
Information and Privacy Commissioner

2015 09 04                              11:40 a.m.