Last week Edmonton's Capital Health Region . In May.
That's right, the laptops were stolen in May.
So why is this just coming to light now, not only for the media but for the patients whose information was stolen? The CBC reports:
[Capital Health Region] spokesman Steve Buick said the reason they took so long to inform the public is because they wanted to consult with the Privacy Commissioner.
'There's no particular urgency to this, no one's health is going to be compromised,' he said.
What leads them to believe that?
The laptops had cable lock devices to secure them to staff desks in a secure building, but the thieves managed to steal them in the evening, said the health authority. Only one of the four computers had patient information on it, information that is only available by getting past two passwords.
Was three months a reasonable amount of time for the Capital Health Region to delay notification?
Last Wednesday, the Privacy Commissioner of Canada, Jennifer Stoddart, released (PDF). A sentence in Step 3: Notification reads, "Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach."
The CBC article provides : Last December, just a quick drive south on provincial highway 2, Calgary Health Region lost a laptop to theft, compromising over 1,000 patients' information -- all of them children in a mental health program. The Calgary administration notified families immediately.
The result? The health region got a slap on the wrist from the provincial privacy commissioner for failing to follow several security policies, but got away largely unscathed. An investigator even lauded their efforts: "For the most part, the Calgary Health Region does a good job protecting information, and has been taking steps to improve security."
In January, a doctor's laptop containing health info on nearly 3,000 Toronto Sick Kids' patients was stolen. The hospital in that case waited two months before telling the public, leading to a change in Ontario's privacy rules. In June, Lonny Rosen, NRM's Health Lawyer columnist, :
I'm afraid this decision sends a clear message that sensitive patient information should never be stored on a laptop (or even sent by email) unless it's de-identified or encrypted.