Government privacy breach leaks info on 9,000 Children's Disability Services clients

The Manitoba government says there has been a privacy breach that unintentionally shared personal information about Children's Disability Services clients.

The information was shared with with service agencies and community advocates that work with individuals with disabilities, Manitoba Families said.

"On Aug. 26, CDS staff accidentally sent an email intended for the Manitoba Advocate for Children and Youth (MACY) to about 100 agencies and advocacy groups," a Friday morning news release from the province said.

"The email contained a spreadsheet with information about approximately 9,000 children who are CDS clients, as well as information about a matter currently being reviewed by MACY."

The email included personal information about the children, including their diagnoses and addresses, but did not include personal health identification numbers, social insurance numbers or any financial information, the news release says.

The mistake was human error, however the department is following up with staff to review and improve processes to avoid this happening again- Manitoba government news release

The spreadsheet was password protected, but the password was also provided.

The province on Thursday called all the recipients to ensure the email was deleted.

"Manitoba Families has agreements in place with service providers that set out expectations for protecting personal information, in addition to their broader legal requirement to protect privacy and confidentiality," Friday's news release says.

The province said it is also calling all of the affected families to advise them of the breach and to apologize.

"The mistake was human error, however the department is following up with staff to review and improve processes to avoid this happening again," the news release says.

The matter has also been referred to the Manitoba ombudsman, as is standard practice, the province said.

In an emailed statement Friday afternoon, the Manitoba Advocate for Children and Youth said it is "working with the government to determine the nature and scope of the breach."

The advocate also suggested the incident would bring about a change in the way sensitive information is shared.

"To date, the advocate has allowed the government to send information according to their existing procedures," MACY's statement reads. "Going forward, the advocate will be meeting with government and relevant organizations and then will set the procedures on the ways in which information must be supplied."

'I would be very concerned'

Ann Cavoukian, executive director of the Global Privacy and Security by Design Centre, a consulting firm based in Toronto, said she is stunned by the breach, and by what she sees as poor followup by the government.

"It's just astounding to me. It's just, it's mind boggling to me and it's very serious — you have to protect this data," she said.

"I know data breaches happen and mistakes happen. If you're sending it to one group and you get it wrong and it ends up in the hands of another group, things happen. But 100 different groups? How does that happen? That's huge."

Though she doesn't suspect any of those agencies or community advocates of having the ill will to do something with the information, the fact it, it is out there now, said Cavoukian, who served three terms as the Ontario privacy commissioner.

"As you distribute personal information like this to organizations that aren't supposed to have it, invariably something happens," she said.

Asked if she ever came across anything like this during her time as privacy commissioner, Cavoukian said there were certainly cases of inappropriate uses personal information from time to time — "but nothing on this scale."

"If I was commissioner now and this happened in Ontario, I would be very concerned about it. I'd be all over it."

The proper response would be to send government representatives to personally check on those groups that received the email in error, not phone or send a message asking them to delete the email, Cavoukian said.

"You're just expecting them to delete it because you ask them to? How can you place your assurance in that?" she said.

"There's got to be some some followup and checking with all these agencies repeatedly until you can be given assurances that, in fact, the data has been deleted and it was never actually accessed.

"This is very sensitive information, sensitive personal information on disabled children. It should never have gone out to 100 different groups."

More news from CBC Manitoba: