DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ca: Investigation finds veteran’s personal information was mishandled

Posted on October 7, 2010 by Dissent

In response to recent news of a breach involving a veteran’s medical information, the Privacy Commissioner of Canada has already completed an investigation and announced findings.  From the press release:

An investigation has highlighted the serious mishandling of a veteran’s personal information, entrusted to the care of Veterans Affairs Canada, says Privacy Commissioner Jennifer Stoddart.  Today she announced her investigation findings and provided more detail about an upcoming audit of the Department.

“What we found in this case was alarming,” says Commissioner Stoddart, who launched the investigation after the veteran complained to her Office.

“The veteran’s sensitive medical and personal information was shared – seemingly with no controls – among departmental officials who had no legitimate need to see it.  This personal information subsequently made its way into a ministerial briefing note about the veteran’s advocacy activities.  This was entirely inappropriate.”

The investigation confirmed that the Department contravened the Privacy Act in the way it handled this veteran’s personal information.  The law requires that personal information be used only for the purposes for which it was collected or for other consistent purposes and that it be shared only on a need-to-know basis.

The investigation confirmed that two ministerial briefing notes about the complainant contained personal information that went far beyond what was necessary for the stated purpose of the briefings.  This included sensitive medical information as well as details about how the complainant interacted with the Department as a client and an advocate for veterans.

One of the notes, prepared in March 2006, was to brief the Minister on the complainant’s participation in a Parliament Hill press conference where he was critical of the Department’s handling of veterans’ issues. In addition to describing the complainant’s advocacy activities, the briefing note contained considerable sensitive medical information, including diagnosis, symptoms, prognosis, chronology of interactions with the Department as a client, amounts of financial benefits received, frequency of appointments and recommended treatment plans.

The Privacy Commissioner was also deeply concerned that officials from numerous branches of Veterans Affairs, including Program Policy, Communications and Media Relations, were involved in discussing and contributing to the content of the briefing notes and also had full access to them.

This sensitive personal information was inappropriately shared with departmental officials who would normally require only very limited or no access to medical information in fulfilling their duties. It was clear that many of those officials had no need to know the complainant’s medical information in order to add their contribution to the briefing notes.  There was a clear lack of controls to protect sensitive medical information from being widely disseminated within the Department.

The investigation also raised concerns about the fact that the Department sent several large volumes of the complainant’s personal and medical information to a hospital that it administers without obtaining his consent.

In light of her findings, the Privacy Commissioner has recommended that Veterans Affairs Canada:

  • Take immediate steps to support an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the Department.
  • Revise existing information-management practices and policies to ensure that personal information is shared within the Department on a need-to-know  basis only and is appropriately limited to what is necessary to fulfil the operational requirements of its programs.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  • Provide training to employees about appropriate personal information-handling practices.
  • Review and comply with its existing policies and procedures concerning hospital referrals to ensure that the consent for the transfer of personal information has been obtained and that the information shared is limited to that which is necessary.

As a result of what was learned during the investigation, as well as information that has come to light through media reports and telephone calls to her Office, the Privacy Commissioner has decided to launch an audit of the Department’s handling of veterans’ personal information.

The scope of the audit and a timeline is still under consideration.  Broadly speaking, it will examine the Department’s policies and practices against its federal privacy obligations.

The audit may provide guidance as the department implements the recommendations stemming from our investigation.

“I would like to thank the veteran who filed this complaint for bringing these important issues to light,” says Commissioner Stoddart.  “We also thank the Minister and the Department for their cooperation.  We are pleased to hear the Minister say that he is committed to resolving these problems.”

A case summary of the complaint investigation is available on the Office of the Privacy Commissioner’s website, www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Related posts:

  • Veterans Administration responds to Freedom of Information request; releases breach reports
  • NZ: Case note 269784: Employee repeatedly accessed health records without proper reason
  • Update: eBenefits breach caused by software update
  • Google ads targeting Canadians using personal health info violate Canadian privacy law – Privacy Commissioner
Category: Health Data

Post navigation

← Cancer researcher fights UNC demotion over data breach (updated)
Breach Notice: The Struggle for Medical Records Security Continues →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.