http://www.theglobeandmail.com/servlet/GIS.Servlets.HTMLTemplate?tf=tgam/common/FullStory.html&cf=tgam/common/FullStory.cfg&date=20011210&cache_key=national¤t_row=1&start_row=1&num_rows=1 By GRAEME SMITH Monday, December 10, 2001 Page A1 The private medical files of thousands of Ontario patients have been stored on-line where they're vulnerable to hackers and the prying eyes of government-hired technicians, according to documents obtained by The Globe and Mail. Less than a month after the Health Ministry set up a much-vaunted patient-information database for doctors, Ontario's privacy commissioner is investigating the system for breaching one of the most sacred tenants of medicine: doctor-patient confidentiality. The commissioner is looking into a wide range of allegations, from whether private companies have been given access to patient information to whether some of the information has already been lost. Ken Anderson, director of legal and corporate services for the commissioner's office, said the probe could take weeks and the office won't comment in the interim. But in the meantime, privacy advocates such as Richard Rosenberg, vice-president of Electronic Frontier Canada, say such mismanagement of information could undermine the health system. "If I can't trust the security or privacy of that system, then as a patient I might withhold information which could affect my treatment," Dr. Rosenberg said. "The whole system collapses if you don't have that assurance." The Ontario government set up the computer system last month as part of its five-year struggle to revolutionize family medicine. Health Minister Tony Clement has said he plans to have 80 per cent of family doctors working in teams, or primary-care networks, by 2004. Doctors will share information with each other over the Internet to improve efficiency and provide better service. The so-called ePhysician Project received approval from Privacy Commissioner Ann Cavoukian one day before the first team of four doctors, in the Chatham, Ont., area, started using the system on Nov. 1. The project has since expanded to include nine Chatham-area doctors with 1,500 to 2,000 patients each. But the privacy commissioner wasn't told several details about how the information is handled. Government contracts, meeting minutes and internal correspondence about the Chatham project reveal a long list of items now under investigation by the commissioner's office, including: Vulnerability tests showing that the system can be "hacked into by anyone with skill" over the Internet, an e-mail by a Ministry of Health official says. These security problems became apparent on the first day the system was up and running, although the privacy commissioner was not informed. Patients were not fully informed about what happens to their data. Although they were told that other doctors could see their files, most patients don't know that their information is stored on a server in a Ministry of Health building in Toronto. A computer technician took unencrypted backup tapes, containing thousands of medical records, to his home for several nights. Three of the tapes were lost, according to a source, although the Health Ministry denies any tapes were misplaced. Three private companies have been granted access to patient information. Two of the companies, software developers that helped build the system, can look at raw data files including patients' names and medical histories. The ministry denies this. A company hired to store backup tapes containing all the medical files has only agreed to $1 liability if a tape is lost or stolen. The Health Ministry says patient records have been handled properly. "As far as I've been able to check, there have been no tapes lost," said ministry spokesman John Letherby. "Patient-doctor confidence is of the utmost importance. The three [companies] do not have access to patient data or information. "As many safeguards as humanly and technologically possible are put in place to ensure that the only people who have access are doctors and patients involved." But internal documents indicate that the number of people who can see patients' information isn't so strictly limited. A contract with Markham-based software company York-Med Systems Inc. explicitly gives the technicians access to pieces of "raw data" so they can perform "system maintenance, backup or data recovery." An e-mail from a ministry official to one of the Chatham doctors says that the government will also give Edmonton-based iW Technologies Inc., maker of the Vividesk software used by the project, full access to the doctors' and patients' information. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 01:41:59 PST