Health and Social Services Minister Tracy-Anne McPhee is apologizing to Yukoners impacted by a privacy breach involving an unencrypted USB drive containing confidential files from Family and Children’s Services.
A statement issued Oct. 18 by McPhee indicates the files were taken from the department’s system by a former employee.
“On behalf of the Government of Yukon, I offer my sincere apologies to those impacted by this privacy breach,” McPhee said.
“Ensuring that Yukoners’ personal information is protected and secure is of the utmost importance and we are taking this situation very seriously.”
In the statement, the department is reviewing the information to identify and notify the affected individuals by mail by the end of the week.
“We will be providing each individual with contact information and someone they can talk to at Health and Social Services, and we will be following up and reaching out directly with a personal phone call to those most affected,” McPhee said.
The statement indicates that while the files are not recent, they contain sensitive information and the former employee was not authorized to have taken the information.
“The former employee abandoned their belongings in a storage unit, which later ended up being sold to a local pawn shop,” McPhee said.
McPhee indicated the breach has been contained, although the investigation is ongoing. Her statement indicates the file remains open with the RCMP as the department considers taking further action.
“Within 24 hours of being notified by the information and privacy commissioner, we were confident that all information on the USB drive was recovered and secured,” she said.
“We now have the USB drive safely in our possession, and we have confirmed with the three individuals who were known to have witnessed some of the contents of the device that they have destroyed any copies of information on the USB drive and that they have not disclosed any of the confidential information.”
McPhee told reporters in the cabinet office on Oct. 17 that she estimated between 30 and 60 people were affected by the breach, which was brought to her attention on Oct. 13.
The department upped its data security measures prior the breach.
McPhee said the department has replaced its case management system to one where files are only accessible through a government port with security login.
“We are working to protect client information, which is of course foundational to providing safe health and social care to both clients and staff,” McPhee said.
“Information cannot be seen or removed from any of those systems without that process.”
The new system was fully implemented in November 2021, according to a statement from the department.
McPhee said the Yukon government regularly deals with “hundreds of thousands of pieces of information” within a given week or a month.
“Many opportunities exist for us to protect individuals’ personal information [and] personal health information, and we do so on a regular basis all the time, as best we can,” she said.
“What occurs on certain occasions with errors or with inappropriate information being removed from a government system is something that we’re investigating just now.”
McPhee said the investigation will reveal if additional measures are required.
“While staff are trained to follow these policies, protocols and safeguards, the department is reiterating and reviewing staff obligations and responsibilities to further protect the private person information and health information of Yukoners,” reads McPhee’s statement.
An Oct. 14 email statement from the office of the information and privacy commissioner confirmed the office notified the department of the alleged breach and is willing to provide guidance on this matter, as required.
“In recent days, a member of the public notified our office that they had acquired records that appear to contain personal information and personal health information,” reads the statement.
“Under the Access to Information and the Protection of Privacy Act (ATIPPA) and the Health Information Privacy and Management Act (HIPMA), a department must investigate any alleged breach and evaluate whether there is any risk of significant harm to anyone as a result. Where a department identifies a risk of significant harm, this triggers a requirement to notify affected individuals, and to provide our office with a breach report outlining what actions they took to mitigate the breach and avoid a recurrence.”
When a breach report is received, the commissioner’s office will evaluate the department’s handling of the breach, including the circumstances leading up to the non-compliance and the department’s response and investigation. Based on the evaluation, the office provides the department with recommendations for additional mitigating measures, as required, and to prevent similar breaches going forward.
Yukon Party Leader Currie Dixon told reporters in the legislature following question period on Oct. 17 that it’s concerning when private data gets made public, while Yukon NDP Leader Kate White wondered how widespread data breaches are within the territorial government.
This latest incident is the Yukon government’s second known data breach in two months.
In late August, an employee of the Education department sent an email to an unknown member of the public with a spreadsheet of personal data for people who applied for a Yukon Grant in 2022.
On Sept. 13, Education Minister Jeanie McLean was notified of the breach and, on Sept. 15, letters were sent out to the 537 impacted individuals to notify them of the breach.
During question period on Oct. 11, the Yukon Party asked the Education minister about the timeline of the notification, as well as data collection and storage.
“We’re talking about names, dates of birth and social insurance numbers. Those are pretty serious pieces of personal privacy,” Dixon said last week during question period.
“The question for the minister is simple: Does she think that the more than three-week gap between the incident occurring and these people being notified is an acceptable length of time?”
Yukon Party MLA Scott Kent asked: “Does the minister think that collecting this type of information and storing it in an apparently easy-way-to-access Excel spreadsheet, which can apparently be accidentally e-mailed, meets the threshold of appropriate management of this type of private information?”
In response, McLean said her department followed the privacy breach protocol set out by the Access to Information and Protection of Privacy Act office, which identifies notification timelines.
“The department is actively reviewing internal training and processes to prevent privacy breaches in the future,” McLean said.
Contact Dana Hatherly at firstname.lastname@example.org