Christopher Seminerio felt uneasy about providing his personal information to a private testing company so he could cross the Peace Bridge into Fort Erie, Ont. from the U.S. in August, but says he didn't have a choice if he wanted to return home.
Seminerio, a salesman for a tech company who lives in Toronto, already provided the border officer proof of COVID-19 vaccination and that he'd travelled to New York for work reasons, plus a negative PCR test result within 72 hours.
But he was still required to go to a nearby racetrack parking lot, enter his name, address, birth date and passport, health card and cellphone numbers into the Switch Health app and undergo the additional swab, he said.
"I think this testing requirement was unneeded, but also the fact that I had to provide all this information was not something that I was comfortable with," Seminerio told CBC News.
Seminerio said only then was he allowed to enter Canada. A few days later on Aug. 13, he received his negative COVID-19 test result from the Toronto-based company called Switch Health and continued on with his summer, not using the service again.
Last week, however, he unexpectedly received an email from Switch Health saying his test result was available. Confused, he logged into the app.
There he found another person's test order and results but with all the personal information he'd entered for his own test months earlier. He'd also been sent a second person's test order with their birth date, but his health card and passport numbers and contact details.
Alarmed, Seminerio called Switch Health.
"I'm thinking, where else has my data been sent to? Where else can it be found?" he said.
Seminerio said the Switch Health representative he spoke to was apologetic and assured him his information was safe.
"Which seems like the most ridiculous statement as I'm looking at someone else's private health information," Seminerio said. "They had no way to answer how they could prove or guarantee that mine wasn't shared with anyone else."
He requested that his account be deactivated and all his personal information be deleted from Switch Health's databases, but he's still concerned about where else it might be stored or who else might've inadvertently received it.
Switch Health says its taken action
Switch Health, contracted by the federal government to handle testing for those entering Canada, is aware of "a recent concern that was raised regarding the inadvertent receipt of test results," said spokesperson Jordan Paquet.
"At Switch Health, security of patient information is a top priority. When we became aware of this issue, we immediately took corrective action and have contacted the individuals involved regarding the error."
He noted Switch Health has successfully administered more than two million COVID tests.
After this story was published, Health Canada spokesperson Alexander Beattie told CBC News it was working with Switch Health to determine the root cause of the issue and address any deficiencies. He said the Office of the Privacy Commissioner has also been informed of the incident.
Fully vaccinated travellers over the age of five crossing the border could be selected for random testing, in this case by Switch Health, as determined by a computer algorithm, Beattie said. Between Aug. 9 and Oct. 9, about 171,000 travellers underwent random testing.
"Testing providers contracted to support the Canada Border Testing Program are required to manage personal health information in accordance with applicable privacy legislation and based on the volume of tests processed, there is evidence that robust measures are in place to achieve that requirement," he said.
Canadians should be concerned, expert says
However, senior research associate Christopher Parsons at the University of Toronto's Citizen Lab said Canadians are right to be concerned about security when entrusting private companies with their personal health information — a growing requirement as governments continue to manage the pandemic and reopening.
"It's important to know that these aren't really free decisions," Parsons said.
"I don't really have a choice to use whatever protocol or app is suggested to see my grandmother. So it's imperative these companies handle case information with the care that's appropriate."
The type of information people like Seminerio are being asked to hand over would be enough for the wrong person to create a false identity and sign up for credit cards and loans, Parsons said.
This information should be deleted immediately after it's used by private companies, but under federal law Canadians don't have "a right to be forgotten," he said.
The pandemic has raised questions as to how COVID-19-related apps have been developed and also what processes governments have established to ensure individual information remains secure, said Parsons. The U.S. government, for example, now awards contracts only if companies have met a series of security requirements. Canada could do the same, he said, or develop its own apps in-house.
"Hopefully the government becomes a lot more proactive and it isn't relying on good Samaritans to come forward," he said.
"That should not be the solution to cybersecurity."