Hey there, time traveller!
This article was published 6/3/2019 (284 days ago), so information in it may no longer be current.
A breach of personal health data collected by the University of Manitoba for a 2017 research study – once led by suspended professor Peter Jones – has enraged volunteer participants and raised questions about the university's information security standards.
About 420 participants in The Manitoba Personalized Lifestyle Research Program study, also called the TMPLR Study, received emailed letters on Wednesday from the U of M giving a brief overview of the data breach, apologizing to participants and informing them that the data they provided would simply be destroyed as it no longer has research value.
"The breach of privacy is disconcerting, definitely, but I think what upsets me more is that all the time and effort I put into completing the study was for nothing. I chose to participate mostly because I thought the long-term goals of the TMPLR program — to collect information that could provide valuable data for researchers and make an impact on the future medical treatment of Manitobans — were worthwhile," said one volunteer participant who asked for anonymity.
"To find out that all my data, and the data of probably hundreds of others, is now being trashed because of a foolish mistake is very upsetting."
Jones, who led the study at its inception, was a star professor at the university who served as director of the Richardson Centre for Functional Foods and Nutraceuticals. He was suspended by the university in December 2018 after the Free Press published an investigation that detailed a litany of allegations of bullying and misconduct.
The breach occurred when data collected from "some participants was not handled, stored, or secured properly." This violates the university's research data management protocols and information security standards. Because the data breach also constituted a violation of the provincial Personal Health Information Act, it is now unusable.
"There's no reason to believe that any private information has been inappropriately accessed," said John Danakas, U of M executive director of public affairs. "The likelihood that personal information was accessed or viewed inappropriately is very, very low and there's no evidence of that."
However, the data was not encrypted, it was stored somewhere off U of M property in a place where unauthorized people could have accessed it and there was no contractual agreement with the third-party company storing the data, the letter stated.
The situation is also a breach of trust, the participant said, as some of the material provided to the researchers by the participants was extremely personal in nature.
"It’s not nice to think of strangers having access to information we were assured many times would be kept entirely secure, and entirely unconnected to our names," the participant said.
"It’s quite shocking to find out that a respected research institution has such shoddy PHIA compliance."
The study was conducted in 2017 through the Richardson Centre for Functional Foods and Nutraceuticals and involved myriad resources, months of data collection and involved a mobile unit with specialized equipment that travelled throughout the province to find volunteer participants and collect their health information.
Participants went through a pair of two-hour on-site sessions that included physical testing, and filled out the questionnaires about personal and family health history, completed food diaries and wore an activity monitor for a week to measure sleep patterns.
While the letter outlined that the U of M provides training sessions on PHIA, all researchers are required to sign a PHIA Pledge of Confidentiality and there are "policies and procedures in place relating to the collection, use, disclosure, storage and destruction of personal health information," the volunteer noted those protocols were lacking or ignored in relation to the TMPLR Study data.
"The university takes the protection of private information very seriously. If a breach is suspected, an investigation occurs, identifying the individual responsible for the breach and holding that individual accountable," Danakas said, noting any disciplinary action will be based on the severity of the breach and carried out under rules of any collective agreement.
The U of M notified the Manitoba Ombudsman of the PHIA breach on Jan. 15. People affected by the data breach can lodge a complaint with the ombudsman.
"The likelihood that your data was accessed or viewed inappropriately is very low. However, we understand that this situation may cause you concern and we sincerely apologize for that," the letter to participants stated.
– With files from Ryan Thorpe
Updated on Wednesday, March 6, 2019 at 9:02 PM CST: Full write through