The Winnipeg Regional Health Authority is dealing with one of the largest patient privacy breaches it has ever seen, after a file containing some personal details about 1,000 people was taken from a locked office inside the city's largest hospital in October.

Health authority officials say a file with billing information related to diagnostic imaging procedures — and containing details about approximately 1,000 patients who underwent those procedures — was removed from a diagnostic imaging office at the Health Sciences Centre on Oct. 7.

Officials say the paper file was taken from a locked room within an area of the hospital that's accessible only by swipe cards. It has not been found to date.

The file listed patients' names and birth dates and identified the medical tests and exams they had — such as CT and MRI scans and biopsies — as well as medical chart reference numbers and physician details. It could also indicate where on a patient's body a scan or other procedure was performed, says the health authority.

The WRHA started sending letters to affected patients on Tuesday, said Réal Cloutier, the health authority's vice-president and chief operating officer.

"We take our responsibility as a trustee of health information seriously and we expect that we protect that information, and unfortunately in this case we have a situation where information was taken," he told reporters on Wednesday.

Anyone who receives a letter should monitor their financial statements as they normally would, but there is no evidence at this point that affected patients would need to take further action to guard their personal health information, the WRHA says.

The Winnipeg Regional Health Authority is notifying about 1,000 patients after a file containing some of their personal information, including their names and birth dates, went missing from a locked office at the city's largest hospital in October. 2:29

Cloutier said the Winnipeg Police Service is investigating the case, and the health authority is conducting its own human-resources and security reviews.

A private security firm with experience in human resources has also been hired to review the incident, he added.

"I just want to be clear that the information that was taken was a minimum amount of health information…. Notwithstanding that, this is a breach and we expect that we will have follow-up on our investigation," he said.

"We're doing everything possible to actually recover the file but, again, that's in the hands of the investigators at this point."

'It raises all the flags'

Security concerns over these kinds of breaches usually fall into two categories, said David Fraser, a privacy lawyer with McInnes Cooper in Halifax. There is the obvious heightened risk of identify theft, but Fraser said victims also face the potential embarrassment of having very sensitive personal details released.

To go into a cabinet and carry out a thousand files, that suggests a significant amount of effort and a significant amount of determination on the part of the bad guy. - David Fraser

"The name and [date of birth] is not sensitive information in the grand scheme of things, but anything related to your health and the continuum of health, that is very intimate and personal information that could be used for all sorts of purposes, including blackmail," Fraser said.

Fraser said the burden is on the WRHA to do more to help ease the fears of victims impacted by the security breach.

"If I were the victim of such a breach, I would probably be expecting that the health authority would pay for credit monitoring to make sure that any suspicious activity on the credit report was flagged and caught," Fraser said.

"I would suggest that the burden should be on [the WRHA] to make sure that they've taken all steps reasonably necessary to assist the affected individuals to mitigate all risks associated with this."

Fraser also believes the WRHA may know about the breach than they are letting on.

"To go into a cabinet and carry out a thousand files out, that suggests a significant amount of effort and a significant amount of determination on the part of the bad guy," he said. "It raises all the flags."

No evidence of forced entry

Cloutier would not say if a suspect has been identified, but the WRHA says there was no evidence of forced entry into the room.

Everyone who had access to the area has been interviewed, and both the police and private investigators have been reviewing surveillance video footage.

"We have examined the video in the building, in the area where this room is located. We don't actually have visuals on the room itself," he said.

Cloutier said officials do not know why someone would have taken the file, but he added that the minimal amount of personal detail would not be very useful to anyone with malicious intentions.

"We don't believe that the file was taken for nefarious reasons but, again, we have a duty to inform people so that they're mindful of what has happened," he said.

The records did not include patients' diagnostic information, he added.

In light of the incident, Cloutier said the WRHA has beefed up security in the area where the file was stolen. For example, the locks have been changed in the office in question, and only the supervisor has access to that room and the new key, he said.

Filing cabinets in the office, which were not locked at the time the file went missing, are now locked in addition to the room itself, a health authority spokesperson said.

Cloutier said the WRHA is moving toward an entirely digital patient information management system, but it's not fully digitized at this time and that means there are still paper records.

"We've been progressively moving to digital. We've been on that journey for the last 10 years and we probably have another 10 years to go," he said, adding that health authorities in other provinces face similar issues.

Other patient information breaches

It's not the first time the WRHA has had to notify patients about their personal information potentially being compromised after medical documents were stolen or accessed inappropriately.

Two recent incidents happened within days of each other in January. In the first incident, a case containing the printed health summaries of 67 patients was stolen from an on-duty nurse's parked car.

Three days later, a bag containing the care sheets of 25 clients — many of them seniors — was stolen from the vehicle of a home-care employee.

In both cases, the documents that were taken contained names, addresses, medication details, health information numbers and other information that is supposed to be confidential.

Cloutier issued a public apology for both incidents, saying the employees in question had breached the health authority's rules for handling and storing sensitive documents.

In 2014, a laptop containing the personal health information of 322 patients was stolen from the office of a doctor at the Health Sciences Centre's liver clinic.

Meanwhile, the WRHA discovered in March 2015 that a pharmacist, who at the time was working at Grace Hospital, used an electronic patient information system to view the medical charts of 56 patients who were not necessarily connected to the hospital.

A report by Manitoba Auditor General Norm Ricard, released several months later, identified "significant" weaknesses in the health authority's cybersecurity system that left it "unnecessarily vulnerable to personal health information falling into the wrong hands."