This morning on CBC's Metro Morning, I heard a story (MP3 of the podcast) about how there was a privacy breach within the University Health Network (UHN) here in Toronto. Basically a USB flash drive was stolen from an employee's purse, containing the health records of about 700 patients. The host of Metro Morning had the Ontario Privacy Commissioner on the show, to comment on the incident, and a few things struck me as really really bad:
1. The Ontario Privacy Commissioner only heard about this privacy breach because Metro Morning contacted her to talk about the story.
I have one word for that: OUCH. Her office is clearly not doing its job properly if she has to find out about this breach from a freaking media outlet. Also, the UHN is being irresponsible by not reporting this to the Privacy Commissioner. I hope that both UHN officials and the Privacy Commissioner's office are seriously reprimanded for this.
2. At the beginning of the show, Matt Galloway, the host of Metro Morning, played a clip from the Privacy Commissioner talking on the show after a privacy breach last year, saying how they put tougher measures in place to prevent such things from happening.
HA! I guess you hired the wrong consulting company to fix that problem for you.
3. After losing face from items 1 and 2, she started talking about how people must be more careful when they put data on USB drives and how they must be sure to encrypt their data when placing data on said USB drives.
While I agree that people should be careful when putting data on USB drives, let's face it. Some people are idiots and don't think when they put data on a flash drive. We basically need an idiot-proof system here. I work at the type of place where losing critical data has very dire consequences. As a result, our IT staff have put measures in place to ensure that data are automatically encrypted on a USB flash drive in case some dumb-ass decides to put sensitive data on a USB flash drive. So clearly there are very effective ways to prevent such privacy breaches. Which makes me wonder who the hell was put in charge of security. That person should be fired for suggesting a crappy solution.