Support journalism that lights the way through the climate crisis

Goal: $100k

The Ontario government has mistakenly released private information of about 45,000 disability assistance recipients.

National Observer obtained a letter from the Ministry of Children, Community and Social Services that admitted that the names, identification numbers and email addresses were disclosed “inadvertently” in an email attachment sent to about 100 disability support program recipients by the Mississauga Ontario Disability Support Program (ODSP) office.

The email was sent Dec. 20 and was about “service improvements we are making to give recipients online access to their ODSP case information,” said the the letter signed by Patti Redmond, the director of the social assistance service delivery branch.

“No personal financial information or home addresses were shared,” the letter added, noting that the ministry has “contacted all individuals to ask them to delete the email and confirm that it was deleted.”

“We are also reviewing our internal processes to prevent such errors in the future,” the letter said.

A copy of the letter received by ODSP recipients whose information was included in an excel spreadsheet mistakenly sent to 100 recipients.

Lisa MacLeod apologizes for privacy breach

The government letter to all 45,000 recipients whose information was compromised assured them that action has been taken. A letter was also sent to the 100 who received the email, asking them to delete the email.

In an email statement, MacLeod said that the breach was “due to a clerical error.”

“As soon as I was notified of this privacy breach, I took steps to ensure those impacted and the privacy commissioner were notified, and that processes and procedures were reviewed so that mistakes like this don’t happen again,” MacLeod wrote. “I sincerely apologize for this incident and want to ensure the public that we take this seriously.”

Ontario’s Information and Privacy Commissioner (IPC) has been notified of the breach, according to the letter. An IPC spokesperson confirmed in an email they had been notified and an investigation is underway.

“We do not share details of investigations or reviews while they are underway,” the IPC spokesperson wrote.

'Everything we have, they know about'

Mark Grath, a resident of Georgina, Ont., received the letter on Jan. 18. He has been an ODSP recipient for 10 years after a back injury from his youth became too painful. He left his construction job while his wife, a stay-at-home mother to their four kids, started working.

He's never been concerned about the privacy of his information because "nothing like this has ever happened before," he told National Observer in a phone interview.

ODSP has all his information, he said, from his banking information to his addresses and his children's names and ages.

"Everything we have, they know about," he said. "We don't even know the extent of it yet because nothing has happened, and hopefully nothing will happen."

The disability program supports people who cannot work full-time through no fault of their own. On Nov. 22, Ontario Minister of Social Services Lisa MacLeod announced that the earnings exemption for recipients will be raised $200 per month to $6,000 annually. Recipients will see 75 per cent of any earnings above that limit removed from their benefits. ODSP will also be redesigned to have fewer reporting requirements for those with severe disabilities, MacLeod said at the time.

Grath remains concerned about the government's response to the privacy breach, which, according to the letter, has been to request the recipients of the email to delete it.

A government official told National Observer that all recipients of the email had been contacted by the ministry; 75 per cent had confirmed that the email had been deleted. Those that didn't respond to their first round of outreach have been sent a follow-up letter and received voicemails.

The internal process is being re-examined, said the official who wouldn't comment on whether anyone has been reprimanded for the "clerical error."

"All they've done is they've asked the 100 people they've sent the information out to to delete the email," Grath said. "I don't have faith that 100 per cent of them will delete the information and forget that they were ever given it. They might hold on to it to use down the road to say 'look here's an error the government made and look at all the information I have'."

"All it takes is that one per cent to hold on to that information and who knows what they do with it."

Keep reading

I appreciate the Observer’s coverage and am a regular reader. I have a supporter’s criticism to make, however, about the phrase used in today’s coverage of the ODS program and privacy leaks. The author describes ODS recipients as people unable to work full time through “no fault of their own”. Please watch this stuff; recipients of other forms of social assistance who are not classed as disabled by the system are usually also unemployed through no fault of their own. I know that you are aware of the systemic causes of unemployment—just watch the wording, please!