A blank Excel spreadsheet seen on Sept. 23. (Dana Hatherly/Yukon News)

A blank Excel spreadsheet seen on Sept. 23. (Dana Hatherly/Yukon News)

Privacy breach puts hundreds of Yukoners at significant risk

Education employee sent spreadsheet containing personal information data

A high-risk privacy breach has sparked concern for some Yukon families after hundreds of people had their personal data breached.

The breach has prompted a designated Yukon privacy officer for the department of Education to issue a notice. In total, 537 letters were sent to impacted individuals.

According to a copy of the Sept. 15 notice, which was provided by the Yukon Party, an employee sent an email to an unknown member of the public with a spreadsheet of personal data for people who applied for a Yukon Grant in 2022.

The notice notes the spreadsheet contained names, addresses, phone numbers, email addresses, dates of birth and social insurance numbers.

In the notice, the breach occurred on Aug. 24 and was reported that day. It is a significant risk due to the sensitive nature of the information for the possibility of identity theft and financial fraud.

The privacy officer is seeking to have the individual delete and destroy any copies of personal information they received.

The problem is attempts to reach the individual by email, phone, social media and their potential place of employment were coming up empty, according to the notice.

“We will continue to attempt to contact the individual and, if successful, have them confirm in writing that the information received was never used, reproduced, copied, forwarded or communicated to any other person, and the information received in error was securely destroyed/deleted,” reads the notice.

The notice suggests the recipient can submit a complaint to the Yukon information and privacy commissioner. It also offers credit monitoring for a year.

In a Sept. 22 email statement, a representative for the Office of the Information and Privacy Commissioner confirmed the breach had been brought to its attention. The representative said the office is working with the department of Education to ensure it has met its obligations under the Access to Information and Protection of Privacy Act.

Opposition reacts

In a Sept. 22 release, the official opposition wants to know the costs — and if the department and the Yukon government will ask the commissioner to help make processes better going forward.

“This is a disturbing breach of Yukoners’ private information,” said Scott Kent, who is the Yukon Party MLA for Copperbelt South and the party’s education critic.

“It is concerning the Minister of Education did not prioritize notification at the earliest possible opportunity.”

A party spokesperson said by email the party has heard from 10 concerned families.

Department responds

In an email statement, a department of Education representative said protection of personal information and privacy are taken “very seriously.”

“The breach has now been contained and the risk of this information being used in an inappropriate matter is being mitigated,” the spokesperson said.

The department spokesperson said by email Sept. 23 the individual who recieved the personal information in error had been spoken to on Sept. 22.

“The individual did not open the email and has deleted it; they are a Yukon citizen and have been very understanding and cooperative while working with us to ensure we support Yukoners through this unfortunate error,” reads the email.

“The individual has confirmed that they have not viewed, saved, reproduced, forwarded or printed the information in question. They have also confirmed the information has been securely deleted.”

The spokesperson said the department has been following the Yukon government’s privacy breach procedures, including working with the commissioner, and is reviewing internal training and processes to help prevent privacy breaches in the future.

Privacy regulators demand digital security

Meanwhile, Canadian privacy authorities are calling for governments and health-care institutions and providers to abandon old technologies for sharing health data to avoid losing the public’s trust in the health system.

In a joint resolution, Jason Pedlar, the Yukon’s acting information and privacy officer, and other information and privacy commissioners and ombudspersons argue that using outdated and vulnerable technologies threatens to break down the public’s trust in the security of personal health data.

“Personal health information is one of the most sensitive types of information about an individual,” Pedlar said in a Sept. 22 release.

“There are many modern and practical ways to facilitate the legal and secure sharing of personal health information, such as encrypted email services, secure patient portals, electronic referrals, and electronic prescribing. It is critical to protect this information in order to maintain Canadians’ trust in the health system.”

The resolution put out by the privacy regulators, who met in St. John’s, Newfoundland this week, sets out measures for the health-care sector, including phasing out fax and unencrypted email.

It notes that individuals may withhold or falsify health information, avoid treatment or hesitate to contact health providers altogether, putting their own lives at risk, if they lose confidence in health-data sharing.

Contact Dana Hatherly at dana.hatherly@yukon-news.com