N.L. privacy commissioner 'deeply concerned' about Facebook's response to health info breach

Newfoundland and Labrador's privacy commissioner says he is "deeply concerned" that Facebook declined to remove personal medical information posted on its site, despite repeated requests from health officials, and only took action after receiving inquiries from the media.

"I am disappointed that Facebook is prepared to do the right thing when its reputation is at stake, but is not willing to adhere to its stated community standards when contacted through the channels available to the public," Michael Harvey wrote in a letter to the social media giant on March 31.

"Unless Facebook improves its process for reporting the posting of private information without consent, I must assume that the best advice I can provide to any individual who brings a similar matter to my attention in future would be to go directly to the media, rather than using Facebook's reporting process."

Facebook has reached out to the commissioner's office.

"We're always improving our reporting systems and apologize for the delay in removing this content," a Facebook company spokesperson said in an email to CBC News.

"Posting personal or confidential information about others without prior consent is against our policies, which is why we removed the post."

Late Monday, Harvey told CBC News he had a "productive discussion" with a senior Facebook official, and they agreed on a path forward to address the concerns that were raised in the letter.

The commissioner said he is "pleased that Facebook appears to be giving the matter consideration at a senior level and optimistic that we can work together to avoid situations like this happening in the future."

Peter Cowan/CBC

On Feb. 9, a Facebook user posted pictures on their page that showed the MCP number, address and detailed medical information — including prescriptions and test results — of a named person.

In his letter to Facebook, Harvey said screen captures containing 111 files of 34 identifiable individuals were posted in total. The file names were the names of patients who attend a cystic fibrosis clinic in St. John's. 

The Facebook user who posted the information doesn't work at the clinic or any health authority in the province, according to the commissioner, and it's not yet known how he came into possession of it.

Eastern Health reported the privacy breach to Facebook on Feb. 10. According to Harvey's letter, the health authority was twice told by Facebook that the post did not go against its community standards.

However, less than two hours after being contacted by CBC News on Feb. 14, Facebook removed the post.

Harvey's letter questioned how the situation was handled.

"Facebook's process for assessing violations of community standards is clearly inadequate," he wrote in his letter to Garrick Tiplady, the managing director of Facebook Canada.

'Potential for real harm to be done'

In an interview with CBC News, Harvey stressed that privacy breaches can be damaging.

"Once that information is out there on the internet, you can't get it back, and there is potential for real harm to be done," he said.

Eastern Health reported the information breach to the Royal Newfoundland Constabulary back in February.

This week, the health authority said an internal investigation did not identify the source of the breach.

Eastern Health steered further inquiries to the police.

The RNC did not comment before deadline.

Read more from CBC Newfoundland and Labrador