A health centre staff member at the University of Lethbridge included confidential information in a non-encrypted spreadsheet and accidentally emailed it to a student last month.
Elsa Perry of Calgary is one of the more than 1,200 patients affected by the error.
Perry was a PhD student in Lethbridge but moved back to Calgary in 2019. While she studied there, she used the school's on-campus health centre. Earlier this month, Perry received what she calls an alarming email regarding her history at the clinic. "The email was letting me know there had been a data breach," Perry said.
"A staff member had placed my confidential information — including my full birth name, my birth date, and my personal health number — on a non-encrypted spreadsheet, and then accidentally emailed that to a student." CBC News received an emailed statement from the University of Lethbridge that said other information, including gender and a list of family physicians the patients had seen dating back to 2015, was also included.
The violation affects 1,225 patients, who were students, staff and faculty.
No other information was included in the document.
The incident happened June 23 and was discovered the next day. The health centre contacted the student who had received the information in error by email, asking that the spreadsheet be deleted.
By July 9, when there had been no response from the student, the email was deleted.
That's 15 days after mistake was discovered. Perry's letter to inform her of the compromised data arrived on July 13, three weeks after it happened. Perry feels the school and the health centre are downplaying the incident. "This entire process is problematic. The delayed timeline with contacting the IT department to get the email deleted really concerns me," Perry said. "So my questions are, what's stopping this from happening again, and what are the protocols and due processes in place, if there are any? Are staff members being trained in how to properly handle this type of confidential information?"
A traumatic experience
The school says it is taking action.
"Maintaining the privacy of confidential information is of the utmost importance to the staff of the U of L Health Centre, a responsibility they take very seriously," reads a section of the university's statement.
"A mistake was made, and as a result, the health centre's protocols for handling personal information have been thoroughly reviewed and communication policies and privacy protocols have been reinforced with all staff members."
Perry calls the whole experience traumatic, and says more needs to be done.
"The last thing I would really like to see happen with this is an official review. And I'd like to know: will the results be shared with everyone who is greatly impacted by this?
"Or, are we just supposed to believe this will all happen as it's supposed to, behind closed doors?"
There is an official investigation underway by Alberta's Privacy Commissioner, which confirms the violation was reported to the office in early July.
Perry doesn't just want the commissioner's office to find out what went wrong. She wants the incident to spark policy changes to ensure this doesn't happen again. She doesn't believe the student who received the information in error has any intention to use her data but worries nonetheless — and says it is now up to her to monitor her credit for untoward activity at her own expense. "The onus is on me every day now to make sure that my information is not being used improperly," Perry said.