[BreachExchange] Government privacy breach leaks info on 9, 000 Children's Disability Services clients

[Destry Winant]

https://www.cbc.ca/news/canada/manitoba/privacy-breach-manitoba-families-childrens-disability-services-1.5703482

The Manitoba government says there has been a privacy breach that
unintentionally shared personal information about Children's
Disability Services clients.

The information was shared with with service agencies and community
advocates that work with individuals with disabilities, Manitoba
Families said.

"On Aug. 26, CDS staff accidentally sent an email intended for the
Manitoba Advocate for Children and Youth (MACY) to about 100 agencies
and advocacy groups," a Friday morning news release from the province
said.

"The email contained a spreadsheet with information about
approximately 9,000 children who are CDS clients, as well as
information about a matter currently being reviewed by MACY."

The email included personal information about the children, including
their diagnoses and addresses, but did not include personal health
identification numbers, social insurance numbers or any financial
information, the news release says.

The mistake was human error, however the department is following up
with staff to review and improve processes to avoid this happening
again- Manitoba government news release

The spreadsheet was password protected, but the password was also provided.

The province on Thursday called all the recipients to ensure the email
was deleted.

"Manitoba Families has agreements in place with service providers that
set out expectations for protecting personal information, in addition
to their broader legal requirement to protect privacy and
confidentiality," Friday's news release says.

The province said it is also calling all of the affected families to
advise them of the breach and to apologize.

"The mistake was human error, however the department is following up
with staff to review and improve processes to avoid this happening
again," the news release says.

The matter has also been referred to the Manitoba ombudsman, as is
standard practice, the province said.

In an emailed statement Friday afternoon, the Manitoba Advocate for
Children and Youth said it is "working with the government to
determine the nature and scope of the breach."

The advocate also suggested the incident would bring about a change in
the way sensitive information is shared.

"To date, the advocate has allowed the government to send information
according to their existing procedures," MACY's statement reads.
"Going forward, the advocate will be meeting with government and
relevant organizations and then will set the procedures on the ways in
which information must be supplied."

'I would be very concerned'

Ann Cavoukian, executive director of the Global Privacy and Security
by Design Centre, a consulting firm based in Toronto, said she is
stunned by the breach, and by what she sees as poor followup by the
government.

"It's just astounding to me. It's just, it's mind boggling to me and
it's very serious — you have to protect this data," she said.

"I know data breaches happen and mistakes happen. If you're sending it
to one group and you get it wrong and it ends up in the hands of
another group, things happen. But 100 different groups? How does that
happen? That's huge."

Though she doesn't suspect any of those agencies or community
advocates of having the ill will to do something with the information,
the fact it, it is out there now, said Cavoukian, who served three
terms as the Ontario privacy commissioner.

Ann Cavoukian, the former privacy commissioner of Ontario, says the
Manitoba government needs to do repeated followup to make anyone who
received the email in error has deleted it. (Joe Fiorino/CBC)

"As you distribute personal information like this to organizations
that aren't supposed to have it, invariably something happens," she
said.

Asked if she ever came across anything like this during her time as
privacy commissioner, Cavoukian said there were certainly cases of
inappropriate uses personal information from time to time — "but
nothing on this scale."

"If I was commissioner now and this happened in Ontario, I would be
very concerned about it. I'd be all over it."

The proper response would be to send government representatives to
personally check on those groups that received the email in error, not
phone or send a message asking them to delete the email, Cavoukian
said.

"You're just expecting them to delete it because you ask them to? How
can you place your assurance in that?" she said.

"There's got to be some some followup and checking with all these
agencies repeatedly until you can be given assurances that, in fact,
the data has been deleted and it was never actually accessed.

"This is very sensitive information, sensitive personal information on
disabled children. It should never have gone out to 100 different
groups."