Steps taken to ensure security of patient information after data breach in Lethbridge
Violation affected 1,225 patients after spreadsheet emailed to wrong recipient
The director of the health clinic at the University of Lethbridge says she has taken steps to ensure patient information remains secure after a data breach earlier this summer.
A staff member at the University of Lethbridge mistakenly included confidential information in a spreadsheet that was meant for a staff member.
The document was emailed to a student with the same name.
Clinic director Natalie Pilsner said she fielded calls from worried patients who feared their medical information had been disclosed. She said staff were simply organizing clinic information — and wants to assure anyone who still has concerns about that.
"It was name, date of birth, gender, as well as the physicians that they'd seen in the past five years," Pilsner Said.
"So what we were trying to do was, to find out which clinic people were attached to — to find out do they still go to the university or are they attached to another clinic?' She continued.
The spreadsheet also included the patients' personal health numbers.
Pilsner said the work was halted as soon as the information breach was discovered.
Tracing the email
The violation affects 1,225 patients, mostly students and former students.
The incident happened June 23 and was discovered the next day.
The health centre contacted the student who had received the information in error by email, asking that the spreadsheet be deleted.
By July 9, when there had been no response from the student, the email was deleted by the school's IT department.
That's 15 days after the mistake was discovered.
Pilsner said that since then, she has been able to speak to the student who received the spreadsheet.
She said the semester was over and the student simply hadn't been checking her university account.
"[The student] emailed back, kind of like, 'Oh, I didn't even realize I was the one that had received the email," Pilsner said.
"She did put in writing, and also verbally that she didn't send, look at, or forward any information in that email. So that was reassuring to me, and we put out a statement to all of the patients who received the original email, stating that is where we are at."
Refresher course
The breach affects 1,225 patients, mostly students and former students.
Calgarian Elsa Perry is a former PhD student, and one of the students whose information was enclosed in the spreadsheet.
She wondered why the information wasn't encrypted.
"So my questions are, what's stopping this from happening again, and what are the protocols and due processes in place, if there are any? Are staff members being trained in how to properly handle this type of confidential information?" asked Perry.
Pilsner said staff are all being retrained to ensure the mistake won't be repeated.
"It honestly was just a mistake, but as the manager, I'm going to make sure that this is taken care of. I have spoken to our IT department and we are getting specialised training," Pilsner said.
"I can't apologise enough."