December 16, 2019

Winnipeg
-23° C, Clear

Full Forecast

U of M alerts volunteers of data breach

Health study participant angered research trashed after 'time and effort' put in  

Hey there, time traveller!
This article was published 6/3/2019 (284 days ago), so information in it may no longer be current.

A breach of personal health data collected by the University of Manitoba for a 2017 research study – once led by suspended professor Peter Jones – has enraged volunteer participants and raised questions about the university's information security standards.

About 420 participants in The Manitoba Personalized Lifestyle Research Program study, also called the TMPLR Study, received emailed letters on Wednesday from the U of M giving a brief overview of the data breach, apologizing to participants and informing them that the data they provided would simply be destroyed as it no longer has research value.

The study was conducted in 2017 through the Richardson Centre for Functional Foods and Nutraceuticals.

BORIS MINKEVICH / WINNIPEG FREE PRESS FILES

The study was conducted in 2017 through the Richardson Centre for Functional Foods and Nutraceuticals.

"The breach of privacy is disconcerting, definitely, but I think what upsets me more is that all the time and effort I put into completing the study was for nothing. I chose to participate mostly because I thought the long-term goals of the TMPLR program — to collect information that could provide valuable data for researchers and make an impact on the future medical treatment of Manitobans — were worthwhile," said one volunteer participant who asked for anonymity.

"To find out that all my data, and the data of probably hundreds of others, is now being trashed because of a foolish mistake is very upsetting."

Jones, who led the study at its inception, was a star professor at the university who served as director of the Richardson Centre for Functional Foods and Nutraceuticals. He was suspended by the university in December 2018 after the Free Press published an investigation that detailed a litany of allegations of bullying and misconduct.

The breach occurred when data collected from "some participants was not handled, stored, or secured properly." This violates the university's research data management protocols and information security standards. Because the data breach also constituted a violation of the provincial Personal Health Information Act, it is now unusable.

"There's no reason to believe that any private information has been inappropriately accessed," said John Danakas, U of M executive director of public affairs. "The likelihood that personal information was accessed or viewed inappropriately is very, very low and there's no evidence of that."

However, the data was not encrypted, it was stored somewhere off U of M property in a place where unauthorized people could have accessed it and there was no contractual agreement with the third-party company storing the data, the letter stated.

The situation is also a breach of trust, the participant said, as some of the material provided to the researchers by the participants was extremely personal in nature.

"It’s not nice to think of strangers having access to information we were assured many times would be kept entirely secure, and entirely unconnected to our names," the participant said.

"It’s quite shocking to find out that a respected research institution has such shoddy PHIA compliance."

The study was conducted in 2017 through the Richardson Centre for Functional Foods and Nutraceuticals and involved myriad resources, months of data collection and involved a mobile unit with specialized equipment that travelled throughout the province to find volunteer participants and collect their health information.

Participants went through a pair of two-hour on-site sessions that included physical testing, and filled out the questionnaires about personal and family health history, completed food diaries and wore an activity monitor for a week to measure sleep patterns.

While the letter outlined that the U of M provides training sessions on PHIA, all researchers are required to sign a PHIA Pledge of Confidentiality and there are "policies and procedures in place relating to the collection, use, disclosure, storage and destruction of personal health information," the volunteer noted those protocols were lacking or ignored in relation to the TMPLR Study data.

"The university takes the protection of private information very seriously. If a breach is suspected, an investigation occurs, identifying the individual responsible for the breach and holding that individual accountable," Danakas said, noting any disciplinary action will be based on the severity of the breach and carried out under rules of any collective agreement.

The U of M notified the Manitoba Ombudsman of the PHIA breach on Jan. 15. People affected by the data breach can lodge a complaint with the ombudsman.

"The likelihood that your data was accessed or viewed inappropriately is very low. However, we understand that this situation may cause you concern and we sincerely apologize for that," the letter to participants stated.

ashley.prest@freepress.mb.ca

– With files from Ryan Thorpe

History

Updated on Wednesday, March 6, 2019 at 9:02 PM CST: Full write through

You can comment on most stories on The Winnipeg Free Press website. You can also agree or disagree with other comments. All you need to do is be a Winnipeg Free Press print or digital subscriber to join the conversation and give your feedback.

Have Your Say

Have Your Say

Comments are open to The Winnipeg Free Press print or digital subscribers only. why?

Have Your Say

Comments are open to The Winnipeg Free Press Subscribers only. why?

By submitting your comment, you agree to abide by our Community Standards and Moderation Policy. These guidelines were revised effective February 27, 2019. Have a question about our comment forum? Check our frequently asked questions.