I had the honour of presenting on cybersecurity oversight today at the Association of Workers’ Compensation Boards of Canada annual Governance Summit. The theme ended up being about leadership and empowerment. I’d like board members to believe that the information security knowledge they require to meet their duties is well within their grasp and to feel a little excited about the learning process. Slides below FYI.
Manitoba Ombudsman Jill Perron has issued her report into Manitoba Families’ 2020 e-mail incident. The incident involved the inadvertent e-mailing of personal health information belonging to 8,900 children in receipt of disability services to approximately 100 external agencies and community advocates. It is such a common incident that it is worth outlining the Ombudsman’s incident response findings.
Manitoba Families meant to transfer the information to the Manitoba Advocate for Children and Youth to support a program review. It included information about services received. Some records included diagnoses.
Manitoba Families mistakenly blind copied the external agencies and advocates on an e-mail that included the information in an encrypted file and a follow-up e-mail that included the password to the file. It had made the same mistake about a week earlier. Several agencies alerted Manitoba Families to its error, and it began containment within a half hour.
The Ombudsman held that Manitoba Families’ containment effort was reasonable. She described it as follows.
Attempts at recalling the email began minutes later at 8:29 a.m. and continued at various intervals. Also, at 8:35 a.m., CDS sent an email to all unintended recipients noting in bold that they were incorrectly included on a confidential email from Children’s disAbility Services and requested immediate deletion of the email and any attachments. Follow up calls to the unintended recipients by CDS program staff began to occur that morning to request deletion of the emails and a list was created to track these calls and the outcomes. A communication outline was created for these calls which included a request to delete emails, a further request that emails be deleted from the deleted folder and that any emails that went to a junk email folder also be deleted…
In January 2021, we received additional written communication from the program stating that all agency service providers and advocates were contacted and verified deletion of the personal health information received in error. The log form created to track and monitor the name of the organization, the date and details of the contact was provided to our office.
The Ombudsman reached a similar finding regarding Manitoba Families’ notification effort, though she needed to recommend that Manitoba Families identify the agencies and advocates to affected individuals, which Manitoba Families agreed to do upon request.
What’s most significant – especially given class action proceedings have been commenced – is a point the Ombudsman made about evidence that Manitoba Families appears not to have gathered.
In addition to assuring families about the deletion of the email, additional information such as who viewed the email, if the attachment was opened and read, whether it was forwarded to anyone else or printed, whether it was stored in any other network drive or paper file or, conversely, that no records exist – can be helpful information to provide those affected by a privacy breach. It is best practice, therefore, to provide families with as much assurance as possible about the security of their child’s health information.
The question is, what is one to make of an arguable shortcoming in an incident response investigation? I say “arguable” because the probability of any of these actions occurring is very low in the unique circumstances of this incident, which involved trusted individuals receiving a password-protected and encrypted file. Manitoba Families ought to have collected this evidence because they called the e-mail recipients anyway, it is helpful and was probably available for collection. If it did not do so, however, I believe it is perfectly acceptable to for Manitoba Families to stand by the scope of a narrower investigation and and put the plaintiff to proof.