Ombudsman releases report under PHIA about a privacy breach at Children’s disAbility ServicesReturn to listing
Apr 29, 2021
Manitoba Ombudsman has released a report under the Personal Health Information Act (PHIA) about an investigation into a privacy breach that affected 8,900 children receiving services from the Children’s disAbility Services (CDS) program of Manitoba Families.
“This privacy breach was unprecedented in scope for this province,” said Ombudsman Jill Perron. “When those affected are vulnerable children and youth, the impact of a privacy breach of sensitive personal health information for those children and their families can be devastating.”
On August 26, 2020, the Children’s disAbility Services (CDS) program of Manitoba Families unintentionally blind-copied about 100 service agencies and community advocates on an email that was intended solely for the Manitoba Advocate for Children and Youth. The personal health information in a document attached to the email included details such as the child’s name, gender, date of birth, address, the nature of their disability and dates and types of medical and psychological assessments that had been conducted. While the information was encrypted, a follow-up email containing a password was sent moments later. The follow-up email was also blind-copied to the service agencies and community advocates.
Under PHIA, a privacy breach occurs when there is unauthorized collection, use, disclosure or disposal of personal health information. Misdirected communication that contains personal health information is a privacy breach.
Our office launched a systemic investigation to review the circumstances surrounding the breach, to examine the department’s compliance with the requirements of PHIA and to identify areas where administrative improvements related to the protection and security of personal health information in the care of Manitoba Families could be made.
Our investigation identified the following:
- the breach was unintentional and resulted from human error
- the unintended recipients acted quickly to destroy the personal health information
- the department took appropriate measures in responding to the breach
- the department did not fully implement privacy policies and procedures, and pledges of confidentiality, as required by PHIA
- the volume of personal and personal health information handled in departmental programs requires a stronger commitment to privacy protection
“All trustees have a duty to protect the personal health information of the citizens they serve,” said Perron. “This investigation provides the department with guidance to increase compliance with the act and the opportunity to strengthen its privacy protection practices across all of its programs.”
We made nine recommendations to the department related to strengthening policies and procedures and training employees about privacy obligations. As the department collects personal and personal information from thousands of Manitobans receiving its services, we also recommended that the department implement a comprehensive privacy management program.
The department accepted our nine recommendations and its response to each recommendation can be found in the report. In addition, the department provided implementation plans to our office detailing how it will deliver on its promise to put in place appropriate security safeguards required under PHIA. We will conduct a follow up audit in 2022.
The full privacy breach report can be found on our website at https://www.ombudsman.mb.ca/uploads/document/files/case-2020-1304-en.pdf
Investigation highlights can be found here: