Patients have a right to know about glitches first and fast

ARMCHAIR MAYOR SAYS — When there’s a problem, or potential problem, having to do with the healthcare system that might affect me, I’d like to know about it promptly.

Monday, LifeLabs revealed that one of its computers arrived back in Kamloops from repairs in Burnaby without its hard drive and RAM. On the hard drive is personal information from more than 16,000 Kamloops-area patients — names, addresses, birth dates, personal health numbers, gender, electrocardiogram results, and doctor’s info.

There’s a recurring theme here. A couple of weeks ago, personal health data of 83 Royal Inland Hospital patients was forgotten on a City bus by an Interior Health Authority employee. Fortunately, the driver returned the files.

Two and a half years ago, endoscopy equipment at Royal Inland Hospital was found to have been improperly cleaned. Nine thousand patients, including me, were affected.

It took five months for IHA to make it public. A few days after that, a letter arrived from the health authority assuring me the risk of anything bad resulting from the situation was somewhere between one in a million and one in 10 million, about the same chance as being struck by lightning.

In the healthcare field, apparently, lightning can strike more than once. LifeLabs couched the potential for identity theft a little differently than IHA did about contamination, calling it “very small.”

Letters to patients were sent out Friday. As we all know, anything mailed from Vancouver often takes more than a couple of days to get here. Tuesday, not having received a letter, I called the LifeLabs information number and found out I had no ECGs that would have been on the hard drive in question.

Despite a sense of relief that a criminal isn’t on the loose with my personal information, the delay in revealing such things bugs me. LifeLabs knew about the breach in January.

Patients have a right to know post haste, not months after the fact. To LifeLabs’ credit, its crisis management was pretty good —  CEO Sue Paish struck an appropriately apologetic note in her mea culpa, assuring patients everything possible was being done to “minimize the likelihood” it could ever happen again.

Clearly, all levels have been well briefed on the situation and on the message. My phone inquiry was handled promptly and pleasantly. But there’s still this thing about taking months to acknowledge something went wrong.

“It’s unacceptable to take this amount of time to notify the government and the Office of the Privacy Commissioner about a breach like this,” said our new health minister, Terry Lake.

What about the patients? I know it’s a tricky thing to properly time the release of information to various stakeholders, and that the letters were sent one business day before the public announcement, but patients should be the first to know. Other than financial information, there’s nothing more sensitive than personal health records.

LifeLabs says the ECGs are password protected, which is little comfort in this age of hackers. In future, they’ll also be encrypted. I’m not a computer whiz, but I’d suggest another step — the next time a computer leaves the security and control of the lab, transfer the data from the internal drive to an external hard drive for safe keeping, and scrub the computer.

Communication with patients and the handling of personal data in our healthcare system needs a tuneup.